postfix  2.11.3
About: Postfix is a mail system (an alternative to sendmail).
  Fossies Dox: postfix-2.11.3.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

 All Data Structures Files Functions Variables Typedefs Macros
smtpd.c
Go to the documentation of this file.
1 /*++
2 /* NAME
3 /* smtpd 8
4 /* SUMMARY
5 /* Postfix SMTP server
6 /* SYNOPSIS
7 /* \fBsmtpd\fR [generic Postfix daemon options]
8 /*
9 /* \fBsendmail -bs\fR
10 /* DESCRIPTION
11 /* The SMTP server accepts network connection requests
12 /* and performs zero or more SMTP transactions per connection.
13 /* Each received message is piped through the \fBcleanup\fR(8)
14 /* daemon, and is placed into the \fBincoming\fR queue as one
15 /* single queue file. For this mode of operation, the program
16 /* expects to be run from the \fBmaster\fR(8) process manager.
17 /*
18 /* Alternatively, the SMTP server be can run in stand-alone
19 /* mode; this is traditionally obtained with "\fBsendmail
20 /* -bs\fR". When the SMTP server runs stand-alone with non
21 /* $\fBmail_owner\fR privileges, it receives mail even while
22 /* the mail system is not running, deposits messages directly
23 /* into the \fBmaildrop\fR queue, and disables the SMTP server's
24 /* access policies. As of Postfix version 2.3, the SMTP server
25 /* refuses to receive mail from the network when it runs with
26 /* non $\fBmail_owner\fR privileges.
27 /*
28 /* The SMTP server implements a variety of policies for connection
29 /* requests, and for parameters given to \fBHELO, ETRN, MAIL FROM, VRFY\fR
30 /* and \fBRCPT TO\fR commands. They are detailed below and in the
31 /* \fBmain.cf\fR configuration file.
32 /* SECURITY
33 /* .ad
34 /* .fi
35 /* The SMTP server is moderately security-sensitive. It talks to SMTP
36 /* clients and to DNS servers on the network. The SMTP server can be
37 /* run chrooted at fixed low privilege.
38 /* STANDARDS
39 /* RFC 821 (SMTP protocol)
40 /* RFC 1123 (Host requirements)
41 /* RFC 1652 (8bit-MIME transport)
42 /* RFC 1869 (SMTP service extensions)
43 /* RFC 1870 (Message size declaration)
44 /* RFC 1985 (ETRN command)
45 /* RFC 2034 (SMTP enhanced status codes)
46 /* RFC 2554 (AUTH command)
47 /* RFC 2821 (SMTP protocol)
48 /* RFC 2920 (SMTP pipelining)
49 /* RFC 3207 (STARTTLS command)
50 /* RFC 3461 (SMTP DSN extension)
51 /* RFC 3463 (Enhanced status codes)
52 /* RFC 3848 (ESMTP transmission types)
53 /* RFC 4409 (Message submission)
54 /* RFC 4954 (AUTH command)
55 /* RFC 5321 (SMTP protocol)
56 /* DIAGNOSTICS
57 /* Problems and transactions are logged to \fBsyslogd\fR(8).
58 /*
59 /* Depending on the setting of the \fBnotify_classes\fR parameter,
60 /* the postmaster is notified of bounces, protocol problems,
61 /* policy violations, and of other trouble.
62 /* CONFIGURATION PARAMETERS
63 /* .ad
64 /* .fi
65 /* Changes to \fBmain.cf\fR are picked up automatically, as \fBsmtpd\fR(8)
66 /* processes run for only a limited amount of time. Use the command
67 /* "\fBpostfix reload\fR" to speed up a change.
68 /*
69 /* The text below provides only a parameter summary. See
70 /* \fBpostconf\fR(5) for more details including examples.
71 /* COMPATIBILITY CONTROLS
72 /* .ad
73 /* .fi
74 /* The following parameters work around implementation errors in other
75 /* software, and/or allow you to override standards in order to prevent
76 /* undesirable use.
77 /* .ad
78 /* .fi
79 /* .IP "\fBbroken_sasl_auth_clients (no)\fR"
80 /* Enable inter-operability with remote SMTP clients that implement an obsolete
81 /* version of the AUTH command (RFC 4954).
82 /* .IP "\fBdisable_vrfy_command (no)\fR"
83 /* Disable the SMTP VRFY command.
84 /* .IP "\fBsmtpd_noop_commands (empty)\fR"
85 /* List of commands that the Postfix SMTP server replies to with "250
86 /* Ok", without doing any syntax checks and without changing state.
87 /* .IP "\fBstrict_rfc821_envelopes (no)\fR"
88 /* Require that addresses received in SMTP MAIL FROM and RCPT TO
89 /* commands are enclosed with <>, and that those addresses do
90 /* not contain RFC 822 style comments or phrases.
91 /* .PP
92 /* Available in Postfix version 2.1 and later:
93 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
94 /* Request that the Postfix SMTP server rejects mail from unknown
95 /* sender addresses, even when no explicit reject_unlisted_sender
96 /* access restriction is specified.
97 /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR"
98 /* What remote SMTP clients the Postfix SMTP server will not offer
99 /* AUTH support to.
100 /* .PP
101 /* Available in Postfix version 2.2 and later:
102 /* .IP "\fBsmtpd_discard_ehlo_keyword_address_maps (empty)\fR"
103 /* Lookup tables, indexed by the remote SMTP client address, with
104 /* case insensitive lists of EHLO keywords (pipelining, starttls, auth,
105 /* etc.) that the Postfix SMTP server will not send in the EHLO response
106 /* to a
107 /* remote SMTP client.
108 /* .IP "\fBsmtpd_discard_ehlo_keywords (empty)\fR"
109 /* A case insensitive list of EHLO keywords (pipelining, starttls,
110 /* auth, etc.) that the Postfix SMTP server will not send in the EHLO
111 /* response
112 /* to a remote SMTP client.
113 /* .IP "\fBsmtpd_delay_open_until_valid_rcpt (yes)\fR"
114 /* Postpone the start of an SMTP mail transaction until a valid
115 /* RCPT TO command is received.
116 /* .PP
117 /* Available in Postfix version 2.3 and later:
118 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
119 /* Force the Postfix SMTP server to issue a TLS session id, even
120 /* when TLS session caching is turned off (smtpd_tls_session_cache_database
121 /* is empty).
122 /* .PP
123 /* Available in Postfix version 2.6 and later:
124 /* .IP "\fBtcp_windowsize (0)\fR"
125 /* An optional workaround for routers that break TCP window scaling.
126 /* .PP
127 /* Available in Postfix version 2.7 and later:
128 /* .IP "\fBsmtpd_command_filter (empty)\fR"
129 /* A mechanism to transform commands from remote SMTP clients.
130 /* .PP
131 /* Available in Postfix version 2.9 and later:
132 /* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
133 /* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
134 /* time limits, from a
135 /* time limit per read or write system call, to a time limit to send
136 /* or receive a complete record (an SMTP command line, SMTP response
137 /* line, SMTP message content line, or TLS protocol message).
138 /* ADDRESS REWRITING CONTROLS
139 /* .ad
140 /* .fi
141 /* See the ADDRESS_REWRITING_README document for a detailed
142 /* discussion of Postfix address rewriting.
143 /* .IP "\fBreceive_override_options (empty)\fR"
144 /* Enable or disable recipient validation, built-in content
145 /* filtering, or address mapping.
146 /* .PP
147 /* Available in Postfix version 2.2 and later:
148 /* .IP "\fBlocal_header_rewrite_clients (permit_inet_interfaces)\fR"
149 /* Rewrite message header addresses in mail from these clients and
150 /* update incomplete addresses with the domain name in $myorigin or
151 /* $mydomain; either don't rewrite message headers from other clients
152 /* at all, or rewrite message headers and update incomplete addresses
153 /* with the domain specified in the remote_header_rewrite_domain
154 /* parameter.
155 /* BEFORE-SMTPD PROXY AGENT
156 /* .ad
157 /* .fi
158 /* Available in Postfix version 2.10 and later:
159 /* .IP "\fBsmtpd_upstream_proxy_protocol (empty)\fR"
160 /* The name of the proxy protocol used by an optional before-smtpd
161 /* proxy agent.
162 /* .IP "\fBsmtpd_upstream_proxy_timeout (5s)\fR"
163 /* The time limit for the proxy protocol specified with the
164 /* smtpd_upstream_proxy_protocol parameter.
165 /* AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS
166 /* .ad
167 /* .fi
168 /* As of version 1.0, Postfix can be configured to send new mail to
169 /* an external content filter AFTER the mail is queued. This content
170 /* filter is expected to inject mail back into a (Postfix or other)
171 /* MTA for further delivery. See the FILTER_README document for details.
172 /* .IP "\fBcontent_filter (empty)\fR"
173 /* After the message is queued, send the entire message to the
174 /* specified \fItransport:destination\fR.
175 /* BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS
176 /* .ad
177 /* .fi
178 /* As of version 2.1, the Postfix SMTP server can be configured
179 /* to send incoming mail to a real-time SMTP-based content filter
180 /* BEFORE mail is queued. This content filter is expected to inject
181 /* mail back into Postfix. See the SMTPD_PROXY_README document for
182 /* details on how to configure and operate this feature.
183 /* .IP "\fBsmtpd_proxy_filter (empty)\fR"
184 /* The hostname and TCP port of the mail filtering proxy server.
185 /* .IP "\fBsmtpd_proxy_ehlo ($myhostname)\fR"
186 /* How the Postfix SMTP server announces itself to the proxy filter.
187 /* .IP "\fBsmtpd_proxy_options (empty)\fR"
188 /* List of options that control how the Postfix SMTP server
189 /* communicates with a before-queue content filter.
190 /* .IP "\fBsmtpd_proxy_timeout (100s)\fR"
191 /* The time limit for connecting to a proxy filter and for sending or
192 /* receiving information.
193 /* BEFORE QUEUE MILTER CONTROLS
194 /* .ad
195 /* .fi
196 /* As of version 2.3, Postfix supports the Sendmail version 8
197 /* Milter (mail filter) protocol. These content filters run
198 /* outside Postfix. They can inspect the SMTP command stream
199 /* and the message content, and can request modifications before
200 /* mail is queued. For details see the MILTER_README document.
201 /* .IP "\fBsmtpd_milters (empty)\fR"
202 /* A list of Milter (mail filter) applications for new mail that
203 /* arrives via the Postfix \fBsmtpd\fR(8) server.
204 /* .IP "\fBmilter_protocol (6)\fR"
205 /* The mail filter protocol version and optional protocol extensions
206 /* for communication with a Milter application; prior to Postfix 2.6
207 /* the default protocol is 2.
208 /* .IP "\fBmilter_default_action (tempfail)\fR"
209 /* The default action when a Milter (mail filter) application is
210 /* unavailable or mis-configured.
211 /* .IP "\fBmilter_macro_daemon_name ($myhostname)\fR"
212 /* The {daemon_name} macro value for Milter (mail filter) applications.
213 /* .IP "\fBmilter_macro_v ($mail_name $mail_version)\fR"
214 /* The {v} macro value for Milter (mail filter) applications.
215 /* .IP "\fBmilter_connect_timeout (30s)\fR"
216 /* The time limit for connecting to a Milter (mail filter)
217 /* application, and for negotiating protocol options.
218 /* .IP "\fBmilter_command_timeout (30s)\fR"
219 /* The time limit for sending an SMTP command to a Milter (mail
220 /* filter) application, and for receiving the response.
221 /* .IP "\fBmilter_content_timeout (300s)\fR"
222 /* The time limit for sending message content to a Milter (mail
223 /* filter) application, and for receiving the response.
224 /* .IP "\fBmilter_connect_macros (see 'postconf -d' output)\fR"
225 /* The macros that are sent to Milter (mail filter) applications
226 /* after completion of an SMTP connection.
227 /* .IP "\fBmilter_helo_macros (see 'postconf -d' output)\fR"
228 /* The macros that are sent to Milter (mail filter) applications
229 /* after the SMTP HELO or EHLO command.
230 /* .IP "\fBmilter_mail_macros (see 'postconf -d' output)\fR"
231 /* The macros that are sent to Milter (mail filter) applications
232 /* after the SMTP MAIL FROM command.
233 /* .IP "\fBmilter_rcpt_macros (see 'postconf -d' output)\fR"
234 /* The macros that are sent to Milter (mail filter) applications
235 /* after the SMTP RCPT TO command.
236 /* .IP "\fBmilter_data_macros (see 'postconf -d' output)\fR"
237 /* The macros that are sent to version 4 or higher Milter (mail
238 /* filter) applications after the SMTP DATA command.
239 /* .IP "\fBmilter_unknown_command_macros (see 'postconf -d' output)\fR"
240 /* The macros that are sent to version 3 or higher Milter (mail
241 /* filter) applications after an unknown SMTP command.
242 /* .IP "\fBmilter_end_of_header_macros (see 'postconf -d' output)\fR"
243 /* The macros that are sent to Milter (mail filter) applications
244 /* after the end of the message header.
245 /* .IP "\fBmilter_end_of_data_macros (see 'postconf -d' output)\fR"
246 /* The macros that are sent to Milter (mail filter) applications
247 /* after the message end-of-data.
248 /* GENERAL CONTENT INSPECTION CONTROLS
249 /* .ad
250 /* .fi
251 /* The following parameters are applicable for both built-in
252 /* and external content filters.
253 /* .PP
254 /* Available in Postfix version 2.1 and later:
255 /* .IP "\fBreceive_override_options (empty)\fR"
256 /* Enable or disable recipient validation, built-in content
257 /* filtering, or address mapping.
258 /* EXTERNAL CONTENT INSPECTION CONTROLS
259 /* .ad
260 /* .fi
261 /* The following parameters are applicable for both before-queue
262 /* and after-queue content filtering.
263 /* .PP
264 /* Available in Postfix version 2.1 and later:
265 /* .IP "\fBsmtpd_authorized_xforward_hosts (empty)\fR"
266 /* What remote SMTP clients are allowed to use the XFORWARD feature.
267 /* SASL AUTHENTICATION CONTROLS
268 /* .ad
269 /* .fi
270 /* Postfix SASL support (RFC 4954) can be used to authenticate remote
271 /* SMTP clients to the Postfix SMTP server, and to authenticate the
272 /* Postfix SMTP client to a remote SMTP server.
273 /* See the SASL_README document for details.
274 /* .IP "\fBbroken_sasl_auth_clients (no)\fR"
275 /* Enable inter-operability with remote SMTP clients that implement an obsolete
276 /* version of the AUTH command (RFC 4954).
277 /* .IP "\fBsmtpd_sasl_auth_enable (no)\fR"
278 /* Enable SASL authentication in the Postfix SMTP server.
279 /* .IP "\fBsmtpd_sasl_local_domain (empty)\fR"
280 /* The name of the Postfix SMTP server's local SASL authentication
281 /* realm.
282 /* .IP "\fBsmtpd_sasl_security_options (noanonymous)\fR"
283 /* Postfix SMTP server SASL security options; as of Postfix 2.3
284 /* the list of available
285 /* features depends on the SASL server implementation that is selected
286 /* with \fBsmtpd_sasl_type\fR.
287 /* .IP "\fBsmtpd_sender_login_maps (empty)\fR"
288 /* Optional lookup table with the SASL login names that own sender
289 /* (MAIL FROM) addresses.
290 /* .PP
291 /* Available in Postfix version 2.1 and later:
292 /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR"
293 /* What remote SMTP clients the Postfix SMTP server will not offer
294 /* AUTH support to.
295 /* .PP
296 /* Available in Postfix version 2.1 and 2.2:
297 /* .IP "\fBsmtpd_sasl_application_name (smtpd)\fR"
298 /* The application name that the Postfix SMTP server uses for SASL
299 /* server initialization.
300 /* .PP
301 /* Available in Postfix version 2.3 and later:
302 /* .IP "\fBsmtpd_sasl_authenticated_header (no)\fR"
303 /* Report the SASL authenticated user name in the \fBsmtpd\fR(8) Received
304 /* message header.
305 /* .IP "\fBsmtpd_sasl_path (smtpd)\fR"
306 /* Implementation-specific information that the Postfix SMTP server
307 /* passes through to
308 /* the SASL plug-in implementation that is selected with
309 /* \fBsmtpd_sasl_type\fR.
310 /* .IP "\fBsmtpd_sasl_type (cyrus)\fR"
311 /* The SASL plug-in type that the Postfix SMTP server should use
312 /* for authentication.
313 /* .PP
314 /* Available in Postfix version 2.5 and later:
315 /* .IP "\fBcyrus_sasl_config_path (empty)\fR"
316 /* Search path for Cyrus SASL application configuration files,
317 /* currently used only to locate the $smtpd_sasl_path.conf file.
318 /* .PP
319 /* Available in Postfix version 2.11 and later:
320 /* .IP "\fBsmtpd_sasl_service (smtp)\fR"
321 /* The service name that is passed to the SASL plug-in that is
322 /* selected with \fBsmtpd_sasl_type\fR and \fBsmtpd_sasl_path\fR.
323 /* STARTTLS SUPPORT CONTROLS
324 /* .ad
325 /* .fi
326 /* Detailed information about STARTTLS configuration may be
327 /* found in the TLS_README document.
328 /* .IP "\fBsmtpd_tls_security_level (empty)\fR"
329 /* The SMTP TLS security level for the Postfix SMTP server; when
330 /* a non-empty value is specified, this overrides the obsolete parameters
331 /* smtpd_use_tls and smtpd_enforce_tls.
332 /* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
333 /* The SASL authentication security options that the Postfix SMTP
334 /* server uses for TLS encrypted SMTP sessions.
335 /* .IP "\fBsmtpd_starttls_timeout (see 'postconf -d' output)\fR"
336 /* The time limit for Postfix SMTP server write and read operations
337 /* during TLS startup and shutdown handshake procedures.
338 /* .IP "\fBsmtpd_tls_CAfile (empty)\fR"
339 /* A file containing (PEM format) CA certificates of root CAs trusted
340 /* to sign either remote SMTP client certificates or intermediate CA
341 /* certificates.
342 /* .IP "\fBsmtpd_tls_CApath (empty)\fR"
343 /* A directory containing (PEM format) CA certificates of root CAs
344 /* trusted to sign either remote SMTP client certificates or intermediate CA
345 /* certificates.
346 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
347 /* Force the Postfix SMTP server to issue a TLS session id, even
348 /* when TLS session caching is turned off (smtpd_tls_session_cache_database
349 /* is empty).
350 /* .IP "\fBsmtpd_tls_ask_ccert (no)\fR"
351 /* Ask a remote SMTP client for a client certificate.
352 /* .IP "\fBsmtpd_tls_auth_only (no)\fR"
353 /* When TLS encryption is optional in the Postfix SMTP server, do
354 /* not announce or accept SASL authentication over unencrypted
355 /* connections.
356 /* .IP "\fBsmtpd_tls_ccert_verifydepth (9)\fR"
357 /* The verification depth for remote SMTP client certificates.
358 /* .IP "\fBsmtpd_tls_cert_file (empty)\fR"
359 /* File with the Postfix SMTP server RSA certificate in PEM format.
360 /* .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR"
361 /* List of ciphers or cipher types to exclude from the SMTP server
362 /* cipher list at all TLS security levels.
363 /* .IP "\fBsmtpd_tls_dcert_file (empty)\fR"
364 /* File with the Postfix SMTP server DSA certificate in PEM format.
365 /* .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR"
366 /* File with DH parameters that the Postfix SMTP server should
367 /* use with non-export EDH ciphers.
368 /* .IP "\fBsmtpd_tls_dh512_param_file (empty)\fR"
369 /* File with DH parameters that the Postfix SMTP server should
370 /* use with export-grade EDH ciphers.
371 /* .IP "\fBsmtpd_tls_dkey_file ($smtpd_tls_dcert_file)\fR"
372 /* File with the Postfix SMTP server DSA private key in PEM format.
373 /* .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
374 /* File with the Postfix SMTP server RSA private key in PEM format.
375 /* .IP "\fBsmtpd_tls_loglevel (0)\fR"
376 /* Enable additional Postfix SMTP server logging of TLS activity.
377 /* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
378 /* The minimum TLS cipher grade that the Postfix SMTP server will
379 /* use with mandatory TLS encryption.
380 /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
381 /* Additional list of ciphers or cipher types to exclude from the
382 /* Postfix SMTP server cipher list at mandatory TLS security levels.
383 /* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
384 /* The SSL/TLS protocols accepted by the Postfix SMTP server with
385 /* mandatory TLS encryption.
386 /* .IP "\fBsmtpd_tls_received_header (no)\fR"
387 /* Request that the Postfix SMTP server produces Received: message
388 /* headers that include information about the protocol and cipher used,
389 /* as well as the remote SMTP client CommonName and client certificate issuer
390 /* CommonName.
391 /* .IP "\fBsmtpd_tls_req_ccert (no)\fR"
392 /* With mandatory TLS encryption, require a trusted remote SMTP client
393 /* certificate in order to allow TLS connections to proceed.
394 /* .IP "\fBsmtpd_tls_wrappermode (no)\fR"
395 /* Run the Postfix SMTP server in the non-standard "wrapper" mode,
396 /* instead of using the STARTTLS command.
397 /* .IP "\fBtls_daemon_random_bytes (32)\fR"
398 /* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
399 /* process requests from the \fBtlsmgr\fR(8) server in order to seed its
400 /* internal pseudo random number generator (PRNG).
401 /* .IP "\fBtls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)\fR"
402 /* The OpenSSL cipherlist for "HIGH" grade ciphers.
403 /* .IP "\fBtls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)\fR"
404 /* The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
405 /* .IP "\fBtls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)\fR"
406 /* The OpenSSL cipherlist for "LOW" or higher grade ciphers.
407 /* .IP "\fBtls_export_cipherlist (ALL:+RC4:@STRENGTH)\fR"
408 /* The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
409 /* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
410 /* The OpenSSL cipherlist for "NULL" grade ciphers that provide
411 /* authentication without encryption.
412 /* .PP
413 /* Available in Postfix version 2.5 and later:
414 /* .IP "\fBsmtpd_tls_fingerprint_digest (md5)\fR"
415 /* The message digest algorithm to construct remote SMTP
416 /* client-certificate
417 /* fingerprints or public key fingerprints (Postfix 2.9 and later)
418 /* for \fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR.
419 /* .PP
420 /* Available in Postfix version 2.6 and later:
421 /* .IP "\fBsmtpd_tls_protocols (empty)\fR"
422 /* List of TLS protocols that the Postfix SMTP server will exclude
423 /* or include with opportunistic TLS encryption.
424 /* .IP "\fBsmtpd_tls_ciphers (export)\fR"
425 /* The minimum TLS cipher grade that the Postfix SMTP server
426 /* will use with opportunistic TLS encryption.
427 /* .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
428 /* File with the Postfix SMTP server ECDSA certificate in PEM format.
429 /* .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
430 /* File with the Postfix SMTP server ECDSA private key in PEM format.
431 /* .IP "\fBsmtpd_tls_eecdh_grade (see 'postconf -d' output)\fR"
432 /* The Postfix SMTP server security grade for ephemeral elliptic-curve
433 /* Diffie-Hellman (EECDH) key exchange.
434 /* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
435 /* The elliptic curve used by the Postfix SMTP server for sensibly
436 /* strong
437 /* ephemeral ECDH key exchange.
438 /* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
439 /* The elliptic curve used by the Postfix SMTP server for maximally
440 /* strong
441 /* ephemeral ECDH key exchange.
442 /* .PP
443 /* Available in Postfix version 2.8 and later:
444 /* .IP "\fBtls_preempt_cipherlist (no)\fR"
445 /* With SSLv3 and later, use the Postfix SMTP server's cipher
446 /* preference order instead of the remote client's cipher preference
447 /* order.
448 /* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
449 /* List or bit-mask of OpenSSL bug work-arounds to disable.
450 /* .PP
451 /* Available in Postfix version 2.11 and later:
452 /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
453 /* The name of the \fBtlsmgr\fR(8) service entry in master.cf.
454 /* OBSOLETE STARTTLS CONTROLS
455 /* .ad
456 /* .fi
457 /* The following configuration parameters exist for compatibility
458 /* with Postfix versions before 2.3. Support for these will
459 /* be removed in a future release.
460 /* .IP "\fBsmtpd_use_tls (no)\fR"
461 /* Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
462 /* but do not require that clients use TLS encryption.
463 /* .IP "\fBsmtpd_enforce_tls (no)\fR"
464 /* Mandatory TLS: announce STARTTLS support to remote SMTP clients,
465 /* and require that clients use TLS encryption.
466 /* .IP "\fBsmtpd_tls_cipherlist (empty)\fR"
467 /* Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
468 /* cipher list.
469 /* VERP SUPPORT CONTROLS
470 /* .ad
471 /* .fi
472 /* With VERP style delivery, each recipient of a message receives a
473 /* customized copy of the message with his/her own recipient address
474 /* encoded in the envelope sender address. The VERP_README file
475 /* describes configuration and operation details of Postfix support
476 /* for variable envelope return path addresses. VERP style delivery
477 /* is requested with the SMTP XVERP command or with the "sendmail
478 /* -V" command-line option and is available in Postfix version 1.1
479 /* and later.
480 /* .IP "\fBdefault_verp_delimiters (+=)\fR"
481 /* The two default VERP delimiter characters.
482 /* .IP "\fBverp_delimiter_filter (-=+)\fR"
483 /* The characters Postfix accepts as VERP delimiter characters on the
484 /* Postfix \fBsendmail\fR(1) command line and in SMTP commands.
485 /* .PP
486 /* Available in Postfix version 1.1 and 2.0:
487 /* .IP "\fBauthorized_verp_clients ($mynetworks)\fR"
488 /* What remote SMTP clients are allowed to specify the XVERP command.
489 /* .PP
490 /* Available in Postfix version 2.1 and later:
491 /* .IP "\fBsmtpd_authorized_verp_clients ($authorized_verp_clients)\fR"
492 /* What remote SMTP clients are allowed to specify the XVERP command.
493 /* TROUBLE SHOOTING CONTROLS
494 /* .ad
495 /* .fi
496 /* The DEBUG_README document describes how to debug parts of the
497 /* Postfix mail system. The methods vary from making the software log
498 /* a lot of detail, to running some daemon processes under control of
499 /* a call tracer or debugger.
500 /* .IP "\fBdebug_peer_level (2)\fR"
501 /* The increment in verbose logging level when a remote client or
502 /* server matches a pattern in the debug_peer_list parameter.
503 /* .IP "\fBdebug_peer_list (empty)\fR"
504 /* Optional list of remote client or server hostname or network
505 /* address patterns that cause the verbose logging level to increase
506 /* by the amount specified in $debug_peer_level.
507 /* .IP "\fBerror_notice_recipient (postmaster)\fR"
508 /* The recipient of postmaster notifications about mail delivery
509 /* problems that are caused by policy, resource, software or protocol
510 /* errors.
511 /* .IP "\fBinternal_mail_filter_classes (empty)\fR"
512 /* What categories of Postfix-generated mail are subject to
513 /* before-queue content inspection by non_smtpd_milters, header_checks
514 /* and body_checks.
515 /* .IP "\fBnotify_classes (resource, software)\fR"
516 /* The list of error classes that are reported to the postmaster.
517 /* .IP "\fBsmtpd_reject_footer (empty)\fR"
518 /* Optional information that is appended after each Postfix SMTP
519 /* server
520 /* 4XX or 5XX response.
521 /* .IP "\fBsoft_bounce (no)\fR"
522 /* Safety net to keep mail queued that would otherwise be returned to
523 /* the sender.
524 /* .PP
525 /* Available in Postfix version 2.1 and later:
526 /* .IP "\fBsmtpd_authorized_xclient_hosts (empty)\fR"
527 /* What remote SMTP clients are allowed to use the XCLIENT feature.
528 /* .PP
529 /* Available in Postfix version 2.10 and later:
530 /* .IP "\fBsmtpd_log_access_permit_actions (empty)\fR"
531 /* Enable logging of the named "permit" actions in SMTP server
532 /* access lists (by default, the SMTP server logs "reject" actions but
533 /* not "permit" actions).
534 /* KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS
535 /* .ad
536 /* .fi
537 /* As of Postfix version 2.0, the SMTP server rejects mail for
538 /* unknown recipients. This prevents the mail queue from clogging up
539 /* with undeliverable MAILER-DAEMON messages. Additional information
540 /* on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README
541 /* documents.
542 /* .IP "\fBshow_user_unknown_table_name (yes)\fR"
543 /* Display the name of the recipient table in the "User unknown"
544 /* responses.
545 /* .IP "\fBcanonical_maps (empty)\fR"
546 /* Optional address mapping lookup tables for message headers and
547 /* envelopes.
548 /* .IP "\fBrecipient_canonical_maps (empty)\fR"
549 /* Optional address mapping lookup tables for envelope and header
550 /* recipient addresses.
551 /* .PP
552 /* Parameters concerning known/unknown local recipients:
553 /* .IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR"
554 /* The list of domains that are delivered via the $local_transport
555 /* mail delivery transport.
556 /* .IP "\fBinet_interfaces (all)\fR"
557 /* The network interface addresses that this mail system receives
558 /* mail on.
559 /* .IP "\fBproxy_interfaces (empty)\fR"
560 /* The network interface addresses that this mail system receives mail
561 /* on by way of a proxy or network address translation unit.
562 /* .IP "\fBinet_protocols (all)\fR"
563 /* The Internet protocols Postfix will attempt to use when making
564 /* or accepting connections.
565 /* .IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR"
566 /* Lookup tables with all names or addresses of local recipients:
567 /* a recipient address is local when its domain matches $mydestination,
568 /* $inet_interfaces or $proxy_interfaces.
569 /* .IP "\fBunknown_local_recipient_reject_code (550)\fR"
570 /* The numerical Postfix SMTP server response code when a recipient
571 /* address is local, and $local_recipient_maps specifies a list of
572 /* lookup tables that does not match the recipient.
573 /* .PP
574 /* Parameters concerning known/unknown recipients of relay destinations:
575 /* .IP "\fBrelay_domains ($mydestination)\fR"
576 /* What destination domains (and subdomains thereof) this system
577 /* will relay mail to.
578 /* .IP "\fBrelay_recipient_maps (empty)\fR"
579 /* Optional lookup tables with all valid addresses in the domains
580 /* that match $relay_domains.
581 /* .IP "\fBunknown_relay_recipient_reject_code (550)\fR"
582 /* The numerical Postfix SMTP server reply code when a recipient
583 /* address matches $relay_domains, and relay_recipient_maps specifies
584 /* a list of lookup tables that does not match the recipient address.
585 /* .PP
586 /* Parameters concerning known/unknown recipients in virtual alias
587 /* domains:
588 /* .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR"
589 /* Postfix is final destination for the specified list of virtual
590 /* alias domains, that is, domains for which all addresses are aliased
591 /* to addresses in other local or remote domains.
592 /* .IP "\fBvirtual_alias_maps ($virtual_maps)\fR"
593 /* Optional lookup tables that alias specific mail addresses or domains
594 /* to other local or remote address.
595 /* .IP "\fBunknown_virtual_alias_reject_code (550)\fR"
596 /* The Postfix SMTP server reply code when a recipient address matches
597 /* $virtual_alias_domains, and $virtual_alias_maps specifies a list
598 /* of lookup tables that does not match the recipient address.
599 /* .PP
600 /* Parameters concerning known/unknown recipients in virtual mailbox
601 /* domains:
602 /* .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR"
603 /* Postfix is final destination for the specified list of domains;
604 /* mail is delivered via the $virtual_transport mail delivery transport.
605 /* .IP "\fBvirtual_mailbox_maps (empty)\fR"
606 /* Optional lookup tables with all valid addresses in the domains that
607 /* match $virtual_mailbox_domains.
608 /* .IP "\fBunknown_virtual_mailbox_reject_code (550)\fR"
609 /* The Postfix SMTP server reply code when a recipient address matches
610 /* $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list
611 /* of lookup tables that does not match the recipient address.
612 /* RESOURCE AND RATE CONTROLS
613 /* .ad
614 /* .fi
615 /* The following parameters limit resource usage by the SMTP
616 /* server and/or control client request rates.
617 /* .IP "\fBline_length_limit (2048)\fR"
618 /* Upon input, long lines are chopped up into pieces of at most
619 /* this length; upon delivery, long lines are reconstructed.
620 /* .IP "\fBqueue_minfree (0)\fR"
621 /* The minimal amount of free space in bytes in the queue file system
622 /* that is needed to receive mail.
623 /* .IP "\fBmessage_size_limit (10240000)\fR"
624 /* The maximal size in bytes of a message, including envelope information.
625 /* .IP "\fBsmtpd_recipient_limit (1000)\fR"
626 /* The maximal number of recipients that the Postfix SMTP server
627 /* accepts per message delivery request.
628 /* .IP "\fBsmtpd_timeout (normal: 300s, overload: 10s)\fR"
629 /* The time limit for sending a Postfix SMTP server response and for
630 /* receiving a remote SMTP client request.
631 /* .IP "\fBsmtpd_history_flush_threshold (100)\fR"
632 /* The maximal number of lines in the Postfix SMTP server command history
633 /* before it is flushed upon receipt of EHLO, RSET, or end of DATA.
634 /* .PP
635 /* Available in Postfix version 2.3 and later:
636 /* .IP "\fBsmtpd_peername_lookup (yes)\fR"
637 /* Attempt to look up the remote SMTP client hostname, and verify that
638 /* the name matches the client IP address.
639 /* .PP
640 /* The per SMTP client connection count and request rate limits are
641 /* implemented in co-operation with the \fBanvil\fR(8) service, and
642 /* are available in Postfix version 2.2 and later.
643 /* .IP "\fBsmtpd_client_connection_count_limit (50)\fR"
644 /* How many simultaneous connections any client is allowed to
645 /* make to this service.
646 /* .IP "\fBsmtpd_client_connection_rate_limit (0)\fR"
647 /* The maximal number of connection attempts any client is allowed to
648 /* make to this service per time unit.
649 /* .IP "\fBsmtpd_client_message_rate_limit (0)\fR"
650 /* The maximal number of message delivery requests that any client is
651 /* allowed to make to this service per time unit, regardless of whether
652 /* or not Postfix actually accepts those messages.
653 /* .IP "\fBsmtpd_client_recipient_rate_limit (0)\fR"
654 /* The maximal number of recipient addresses that any client is allowed
655 /* to send to this service per time unit, regardless of whether or not
656 /* Postfix actually accepts those recipients.
657 /* .IP "\fBsmtpd_client_event_limit_exceptions ($mynetworks)\fR"
658 /* Clients that are excluded from smtpd_client_*_count/rate_limit
659 /* restrictions.
660 /* .PP
661 /* Available in Postfix version 2.3 and later:
662 /* .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR"
663 /* The maximal number of new (i.e., uncached) TLS sessions that a
664 /* remote SMTP client is allowed to negotiate with this service per
665 /* time unit.
666 /* .PP
667 /* Available in Postfix version 2.9 and later:
668 /* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
669 /* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
670 /* time limits, from a
671 /* time limit per read or write system call, to a time limit to send
672 /* or receive a complete record (an SMTP command line, SMTP response
673 /* line, SMTP message content line, or TLS protocol message).
674 /* TARPIT CONTROLS
675 /* .ad
676 /* .fi
677 /* When a remote SMTP client makes errors, the Postfix SMTP server
678 /* can insert delays before responding. This can help to slow down
679 /* run-away software. The behavior is controlled by an error counter
680 /* that counts the number of errors within an SMTP session that a
681 /* client makes without delivering mail.
682 /* .IP "\fBsmtpd_error_sleep_time (1s)\fR"
683 /* With Postfix version 2.1 and later: the SMTP server response delay after
684 /* a client has made more than $smtpd_soft_error_limit errors, and
685 /* fewer than $smtpd_hard_error_limit errors, without delivering mail.
686 /* .IP "\fBsmtpd_soft_error_limit (10)\fR"
687 /* The number of errors a remote SMTP client is allowed to make without
688 /* delivering mail before the Postfix SMTP server slows down all its
689 /* responses.
690 /* .IP "\fBsmtpd_hard_error_limit (normal: 20, overload: 1)\fR"
691 /* The maximal number of errors a remote SMTP client is allowed to
692 /* make without delivering mail.
693 /* .IP "\fBsmtpd_junk_command_limit (normal: 100, overload: 1)\fR"
694 /* The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
695 /* SMTP client can send before the Postfix SMTP server starts to
696 /* increment the error counter with each junk command.
697 /* .PP
698 /* Available in Postfix version 2.1 and later:
699 /* .IP "\fBsmtpd_recipient_overshoot_limit (1000)\fR"
700 /* The number of recipients that a remote SMTP client can send in
701 /* excess of the limit specified with $smtpd_recipient_limit, before
702 /* the Postfix SMTP server increments the per-session error count
703 /* for each excess recipient.
704 /* ACCESS POLICY DELEGATION CONTROLS
705 /* .ad
706 /* .fi
707 /* As of version 2.1, Postfix can be configured to delegate access
708 /* policy decisions to an external server that runs outside Postfix.
709 /* See the file SMTPD_POLICY_README for more information.
710 /* .IP "\fBsmtpd_policy_service_max_idle (300s)\fR"
711 /* The time after which an idle SMTPD policy service connection is
712 /* closed.
713 /* .IP "\fBsmtpd_policy_service_max_ttl (1000s)\fR"
714 /* The time after which an active SMTPD policy service connection is
715 /* closed.
716 /* .IP "\fBsmtpd_policy_service_timeout (100s)\fR"
717 /* The time limit for connecting to, writing to or receiving from a
718 /* delegated SMTPD policy server.
719 /* ACCESS CONTROLS
720 /* .ad
721 /* .fi
722 /* The SMTPD_ACCESS_README document gives an introduction to all the
723 /* SMTP server access control features.
724 /* .IP "\fBsmtpd_delay_reject (yes)\fR"
725 /* Wait until the RCPT TO command before evaluating
726 /* $smtpd_client_restrictions, $smtpd_helo_restrictions and
727 /* $smtpd_sender_restrictions, or wait until the ETRN command before
728 /* evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions.
729 /* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
730 /* What Postfix features match subdomains of "domain.tld" automatically,
731 /* instead of requiring an explicit ".domain.tld" pattern.
732 /* .IP "\fBsmtpd_client_restrictions (empty)\fR"
733 /* Optional restrictions that the Postfix SMTP server applies in the
734 /* context of a client connection request.
735 /* .IP "\fBsmtpd_helo_required (no)\fR"
736 /* Require that a remote SMTP client introduces itself with the HELO
737 /* or EHLO command before sending the MAIL command or other commands
738 /* that require EHLO negotiation.
739 /* .IP "\fBsmtpd_helo_restrictions (empty)\fR"
740 /* Optional restrictions that the Postfix SMTP server applies in the
741 /* context of a client HELO command.
742 /* .IP "\fBsmtpd_sender_restrictions (empty)\fR"
743 /* Optional restrictions that the Postfix SMTP server applies in the
744 /* context of a client MAIL FROM command.
745 /* .IP "\fBsmtpd_recipient_restrictions (see 'postconf -d' output)\fR"
746 /* Optional restrictions that the Postfix SMTP server applies in the
747 /* context of a client RCPT TO command, after smtpd_relay_restrictions.
748 /* .IP "\fBsmtpd_etrn_restrictions (empty)\fR"
749 /* Optional restrictions that the Postfix SMTP server applies in the
750 /* context of a client ETRN command.
751 /* .IP "\fBallow_untrusted_routing (no)\fR"
752 /* Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
753 /* from untrusted clients to destinations matching $relay_domains.
754 /* .IP "\fBsmtpd_restriction_classes (empty)\fR"
755 /* User-defined aliases for groups of access restrictions.
756 /* .IP "\fBsmtpd_null_access_lookup_key (<>)\fR"
757 /* The lookup key to be used in SMTP \fBaccess\fR(5) tables instead of the
758 /* null sender address.
759 /* .IP "\fBpermit_mx_backup_networks (empty)\fR"
760 /* Restrict the use of the permit_mx_backup SMTP access feature to
761 /* only domains whose primary MX hosts match the listed networks.
762 /* .PP
763 /* Available in Postfix version 2.0 and later:
764 /* .IP "\fBsmtpd_data_restrictions (empty)\fR"
765 /* Optional access restrictions that the Postfix SMTP server applies
766 /* in the context of the SMTP DATA command.
767 /* .IP "\fBsmtpd_expansion_filter (see 'postconf -d' output)\fR"
768 /* What characters are allowed in $name expansions of RBL reply
769 /* templates.
770 /* .PP
771 /* Available in Postfix version 2.1 and later:
772 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
773 /* Request that the Postfix SMTP server rejects mail from unknown
774 /* sender addresses, even when no explicit reject_unlisted_sender
775 /* access restriction is specified.
776 /* .IP "\fBsmtpd_reject_unlisted_recipient (yes)\fR"
777 /* Request that the Postfix SMTP server rejects mail for unknown
778 /* recipient addresses, even when no explicit reject_unlisted_recipient
779 /* access restriction is specified.
780 /* .PP
781 /* Available in Postfix version 2.2 and later:
782 /* .IP "\fBsmtpd_end_of_data_restrictions (empty)\fR"
783 /* Optional access restrictions that the Postfix SMTP server
784 /* applies in the context of the SMTP END-OF-DATA command.
785 /* .PP
786 /* Available in Postfix version 2.10 and later:
787 /* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)\fR"
788 /* Access restrictions for mail relay control that the Postfix
789 /* SMTP server applies in the context of the RCPT TO command, before
790 /* smtpd_recipient_restrictions.
791 /* SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS
792 /* .ad
793 /* .fi
794 /* Postfix version 2.1 introduces sender and recipient address verification.
795 /* This feature is implemented by sending probe email messages that
796 /* are not actually delivered.
797 /* This feature is requested via the reject_unverified_sender and
798 /* reject_unverified_recipient access restrictions. The status of
799 /* verification probes is maintained by the \fBverify\fR(8) server.
800 /* See the file ADDRESS_VERIFICATION_README for information
801 /* about how to configure and operate the Postfix sender/recipient
802 /* address verification service.
803 /* .IP "\fBaddress_verify_poll_count (normal: 3, overload: 1)\fR"
804 /* How many times to query the \fBverify\fR(8) service for the completion
805 /* of an address verification request in progress.
806 /* .IP "\fBaddress_verify_poll_delay (3s)\fR"
807 /* The delay between queries for the completion of an address
808 /* verification request in progress.
809 /* .IP "\fBaddress_verify_sender ($double_bounce_sender)\fR"
810 /* The sender address to use in address verification probes; prior
811 /* to Postfix 2.5 the default was "postmaster".
812 /* .IP "\fBunverified_sender_reject_code (450)\fR"
813 /* The numerical Postfix SMTP server response code when a recipient
814 /* address is rejected by the reject_unverified_sender restriction.
815 /* .IP "\fBunverified_recipient_reject_code (450)\fR"
816 /* The numerical Postfix SMTP server response when a recipient address
817 /* is rejected by the reject_unverified_recipient restriction.
818 /* .PP
819 /* Available in Postfix version 2.6 and later:
820 /* .IP "\fBunverified_sender_defer_code (450)\fR"
821 /* The numerical Postfix SMTP server response code when a sender address
822 /* probe fails due to a temporary error condition.
823 /* .IP "\fBunverified_recipient_defer_code (450)\fR"
824 /* The numerical Postfix SMTP server response when a recipient address
825 /* probe fails due to a temporary error condition.
826 /* .IP "\fBunverified_sender_reject_reason (empty)\fR"
827 /* The Postfix SMTP server's reply when rejecting mail with
828 /* reject_unverified_sender.
829 /* .IP "\fBunverified_recipient_reject_reason (empty)\fR"
830 /* The Postfix SMTP server's reply when rejecting mail with
831 /* reject_unverified_recipient.
832 /* .IP "\fBunverified_sender_tempfail_action ($reject_tempfail_action)\fR"
833 /* The Postfix SMTP server's action when reject_unverified_sender
834 /* fails due to a temporary error condition.
835 /* .IP "\fBunverified_recipient_tempfail_action ($reject_tempfail_action)\fR"
836 /* The Postfix SMTP server's action when reject_unverified_recipient
837 /* fails due to a temporary error condition.
838 /* .PP
839 /* Available with Postfix 2.9 and later:
840 /* .IP "\fBaddress_verify_sender_ttl (0s)\fR"
841 /* The time between changes in the time-dependent portion of address
842 /* verification probe sender addresses.
843 /* ACCESS CONTROL RESPONSES
844 /* .ad
845 /* .fi
846 /* The following parameters control numerical SMTP reply codes
847 /* and/or text responses.
848 /* .IP "\fBaccess_map_reject_code (554)\fR"
849 /* The numerical Postfix SMTP server response code for
850 /* an \fBaccess\fR(5) map "reject" action.
851 /* .IP "\fBdefer_code (450)\fR"
852 /* The numerical Postfix SMTP server response code when a remote SMTP
853 /* client request is rejected by the "defer" restriction.
854 /* .IP "\fBinvalid_hostname_reject_code (501)\fR"
855 /* The numerical Postfix SMTP server response code when the client
856 /* HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname
857 /* restriction.
858 /* .IP "\fBmaps_rbl_reject_code (554)\fR"
859 /* The numerical Postfix SMTP server response code when a remote SMTP
860 /* client request is blocked by the reject_rbl_client, reject_rhsbl_client,
861 /* reject_rhsbl_reverse_client, reject_rhsbl_sender or
862 /* reject_rhsbl_recipient restriction.
863 /* .IP "\fBnon_fqdn_reject_code (504)\fR"
864 /* The numerical Postfix SMTP server reply code when a client request
865 /* is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
866 /* or reject_non_fqdn_recipient restriction.
867 /* .IP "\fBplaintext_reject_code (450)\fR"
868 /* The numerical Postfix SMTP server response code when a request
869 /* is rejected by the \fBreject_plaintext_session\fR restriction.
870 /* .IP "\fBreject_code (554)\fR"
871 /* The numerical Postfix SMTP server response code when a remote SMTP
872 /* client request is rejected by the "reject" restriction.
873 /* .IP "\fBrelay_domains_reject_code (554)\fR"
874 /* The numerical Postfix SMTP server response code when a client
875 /* request is rejected by the reject_unauth_destination recipient
876 /* restriction.
877 /* .IP "\fBunknown_address_reject_code (450)\fR"
878 /* The numerical Postfix SMTP server response code when a sender or
879 /* recipient address is rejected by the reject_unknown_sender_domain
880 /* or reject_unknown_recipient_domain restriction.
881 /* .IP "\fBunknown_client_reject_code (450)\fR"
882 /* The numerical Postfix SMTP server response code when a client
883 /* without valid address <=> name mapping is rejected by the
884 /* reject_unknown_client_hostname restriction.
885 /* .IP "\fBunknown_hostname_reject_code (450)\fR"
886 /* The numerical Postfix SMTP server response code when the hostname
887 /* specified with the HELO or EHLO command is rejected by the
888 /* reject_unknown_helo_hostname restriction.
889 /* .PP
890 /* Available in Postfix version 2.0 and later:
891 /* .IP "\fBdefault_rbl_reply (see 'postconf -d' output)\fR"
892 /* The default Postfix SMTP server response template for a request that is
893 /* rejected by an RBL-based restriction.
894 /* .IP "\fBmulti_recipient_bounce_reject_code (550)\fR"
895 /* The numerical Postfix SMTP server response code when a remote SMTP
896 /* client request is blocked by the reject_multi_recipient_bounce
897 /* restriction.
898 /* .IP "\fBrbl_reply_maps (empty)\fR"
899 /* Optional lookup tables with RBL response templates.
900 /* .PP
901 /* Available in Postfix version 2.6 and later:
902 /* .IP "\fBaccess_map_defer_code (450)\fR"
903 /* The numerical Postfix SMTP server response code for
904 /* an \fBaccess\fR(5) map "defer" action, including "defer_if_permit"
905 /* or "defer_if_reject".
906 /* .IP "\fBreject_tempfail_action (defer_if_permit)\fR"
907 /* The Postfix SMTP server's action when a reject-type restriction
908 /* fails due to a temporary error condition.
909 /* .IP "\fBunknown_helo_hostname_tempfail_action ($reject_tempfail_action)\fR"
910 /* The Postfix SMTP server's action when reject_unknown_helo_hostname
911 /* fails due to an temporary error condition.
912 /* .IP "\fBunknown_address_tempfail_action ($reject_tempfail_action)\fR"
913 /* The Postfix SMTP server's action when reject_unknown_sender_domain
914 /* or reject_unknown_recipient_domain fail due to a temporary error
915 /* condition.
916 /* MISCELLANEOUS CONTROLS
917 /* .ad
918 /* .fi
919 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
920 /* The default location of the Postfix main.cf and master.cf
921 /* configuration files.
922 /* .IP "\fBdaemon_timeout (18000s)\fR"
923 /* How much time a Postfix daemon process may take to handle a
924 /* request before it is terminated by a built-in watchdog timer.
925 /* .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
926 /* The location of all postfix administrative commands.
927 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
928 /* The sender address of postmaster notifications that are generated
929 /* by the mail system.
930 /* .IP "\fBipc_timeout (3600s)\fR"
931 /* The time limit for sending or receiving information over an internal
932 /* communication channel.
933 /* .IP "\fBmail_name (Postfix)\fR"
934 /* The mail system name that is displayed in Received: headers, in
935 /* the SMTP greeting banner, and in bounced mail.
936 /* .IP "\fBmail_owner (postfix)\fR"
937 /* The UNIX system account that owns the Postfix queue and most Postfix
938 /* daemon processes.
939 /* .IP "\fBmax_idle (100s)\fR"
940 /* The maximum amount of time that an idle Postfix daemon process waits
941 /* for an incoming connection before terminating voluntarily.
942 /* .IP "\fBmax_use (100)\fR"
943 /* The maximal number of incoming connections that a Postfix daemon
944 /* process will service before terminating voluntarily.
945 /* .IP "\fBmyhostname (see 'postconf -d' output)\fR"
946 /* The internet hostname of this mail system.
947 /* .IP "\fBmynetworks (see 'postconf -d' output)\fR"
948 /* The list of "trusted" remote SMTP clients that have more privileges than
949 /* "strangers".
950 /* .IP "\fBmyorigin ($myhostname)\fR"
951 /* The domain name that locally-posted mail appears to come
952 /* from, and that locally posted mail is delivered to.
953 /* .IP "\fBprocess_id (read-only)\fR"
954 /* The process ID of a Postfix command or daemon process.
955 /* .IP "\fBprocess_name (read-only)\fR"
956 /* The process name of a Postfix command or daemon process.
957 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
958 /* The location of the Postfix top-level queue directory.
959 /* .IP "\fBrecipient_delimiter (empty)\fR"
960 /* The set of characters that can separate a user name from its
961 /* extension (example: user+foo), or a .forward file name from its
962 /* extension (example: .forward+foo).
963 /* .IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR"
964 /* The text that follows the 220 status code in the SMTP greeting
965 /* banner.
966 /* .IP "\fBsyslog_facility (mail)\fR"
967 /* The syslog facility of Postfix logging.
968 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
969 /* The mail system name that is prepended to the process name in syslog
970 /* records, so that "smtpd" becomes, for example, "postfix/smtpd".
971 /* .PP
972 /* Available in Postfix version 2.2 and later:
973 /* .IP "\fBsmtpd_forbidden_commands (CONNECT, GET, POST)\fR"
974 /* List of commands that cause the Postfix SMTP server to immediately
975 /* terminate the session with a 221 code.
976 /* .PP
977 /* Available in Postfix version 2.5 and later:
978 /* .IP "\fBsmtpd_client_port_logging (no)\fR"
979 /* Enable logging of the remote SMTP client port in addition to
980 /* the hostname and IP address.
981 /* SEE ALSO
982 /* anvil(8), connection/rate limiting
983 /* cleanup(8), message canonicalization
984 /* tlsmgr(8), TLS session and PRNG management
985 /* trivial-rewrite(8), address resolver
986 /* verify(8), address verification service
987 /* postconf(5), configuration parameters
988 /* master(5), generic daemon options
989 /* master(8), process manager
990 /* syslogd(8), system logging
991 /* README FILES
992 /* .ad
993 /* .fi
994 /* Use "\fBpostconf readme_directory\fR" or
995 /* "\fBpostconf html_directory\fR" to locate this information.
996 /* .na
997 /* .nf
998 /* ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
999 /* ADDRESS_REWRITING_README Postfix address manipulation
1000 /* FILTER_README, external after-queue content filter
1001 /* LOCAL_RECIPIENT_README, blocking unknown local recipients
1002 /* MILTER_README, before-queue mail filter applications
1003 /* SMTPD_ACCESS_README, built-in access policies
1004 /* SMTPD_POLICY_README, external policy server
1005 /* SMTPD_PROXY_README, external before-queue content filter
1006 /* SASL_README, Postfix SASL howto
1007 /* TLS_README, Postfix STARTTLS howto
1008 /* VERP_README, Postfix XVERP extension
1009 /* XCLIENT_README, Postfix XCLIENT extension
1010 /* XFORWARD_README, Postfix XFORWARD extension
1011 /* LICENSE
1012 /* .ad
1013 /* .fi
1014 /* The Secure Mailer license must be distributed with this software.
1015 /* AUTHOR(S)
1016 /* Wietse Venema
1017 /* IBM T.J. Watson Research
1018 /* P.O. Box 704
1019 /* Yorktown Heights, NY 10598, USA
1020 /*
1021 /* SASL support originally by:
1022 /* Till Franke
1023 /* SuSE Rhein/Main AG
1024 /* 65760 Eschborn, Germany
1025 /*
1026 /* TLS support originally by:
1027 /* Lutz Jaenicke
1028 /* BTU Cottbus
1029 /* Allgemeine Elektrotechnik
1030 /* Universitaetsplatz 3-4
1031 /* D-03044 Cottbus, Germany
1032 /*
1033 /* Revised TLS support by:
1034 /* Victor Duchovni
1035 /* Morgan Stanley
1036 /*--*/
1037 
1038 /* System library. */
1039 
1040 #include <sys_defs.h>
1041 #include <sys/socket.h>
1042 #include <sys/stat.h>
1043 #include <netinet/in.h>
1044 #include <arpa/inet.h>
1045 #include <netdb.h>
1046 #include <string.h>
1047 #include <stdio.h> /* remove() */
1048 #include <unistd.h>
1049 #include <stdlib.h>
1050 #include <errno.h>
1051 #include <ctype.h>
1052 #include <signal.h>
1053 #include <stddef.h> /* offsetof() */
1054 
1055 #ifdef STRCASECMP_IN_STRINGS_H
1056 #include <strings.h>
1057 #endif
1058 
1059 /* Utility library. */
1060 
1061 #include <msg.h>
1062 #include <mymalloc.h>
1063 #include <vstring.h>
1064 #include <vstream.h>
1065 #include <vstring_vstream.h>
1066 #include <stringops.h>
1067 #include <events.h>
1068 #include <smtp_stream.h>
1069 #include <valid_hostname.h>
1070 #include <dict.h>
1071 #include <watchdog.h>
1072 #include <iostuff.h>
1073 #include <split_at.h>
1074 #include <name_code.h>
1075 #include <inet_proto.h>
1076 
1077 /* Global library. */
1078 
1079 #include <mail_params.h>
1080 #include <mail_version.h> /* milter_macro_v */
1081 #include <record.h>
1082 #include <rec_type.h>
1083 #include <mail_proto.h>
1084 #include <cleanup_user.h>
1085 #include <mail_date.h>
1086 #include <mail_conf.h>
1087 #include <off_cvt.h>
1088 #include <debug_peer.h>
1089 #include <mail_error.h>
1090 #include <flush_clnt.h>
1091 #include <mail_stream.h>
1092 #include <mail_queue.h>
1093 #include <tok822.h>
1094 #include <verp_sender.h>
1095 #include <string_list.h>
1096 #include <quote_822_local.h>
1097 #include <lex_822.h>
1098 #include <namadr_list.h>
1099 #include <input_transp.h>
1100 #include <is_header.h>
1101 #include <anvil_clnt.h>
1102 #include <flush_clnt.h>
1103 #include <ehlo_mask.h> /* ehlo filter */
1104 #include <maps.h> /* ehlo filter */
1105 #include <valid_mailhost_addr.h>
1106 #include <dsn_mask.h>
1107 #include <xtext.h>
1108 #include <tls_proxy.h>
1109 #include <verify_sender_addr.h>
1110 
1111 /* Single-threaded server skeleton. */
1112 
1113 #include <mail_server.h>
1114 
1115 /* Mail filter library. */
1116 
1117 #include <milter.h>
1118 
1119 /* Application-specific */
1120 
1121 #include <smtpd_token.h>
1122 #include <smtpd.h>
1123 #include <smtpd_check.h>
1124 #include <smtpd_chat.h>
1125 #include <smtpd_sasl_proto.h>
1126 #include <smtpd_sasl_glue.h>
1127 #include <smtpd_proxy.h>
1128 #include <smtpd_milter.h>
1129 #include <smtpd_expand.h>
1130 
1131  /*
1132  * Tunable parameters. Make sure that there is some bound on the length of
1133  * an SMTP command, so that the mail system stays in control even when a
1134  * malicious client sends commands of unreasonable length (qmail-dos-1).
1135  * Make sure there is some bound on the number of recipients, so that the
1136  * mail system stays in control even when a malicious client sends an
1137  * unreasonable number of recipients (qmail-dos-2).
1138  */
1143 int var_queue_minfree; /* XXX use off_t */
1239 
1248 
1249 #ifdef USE_TLS
1253 char *var_smtpd_tls_CAfile;
1254 char *var_smtpd_tls_CApath;
1272 char *var_smtpd_tls_ciph;
1273 char *var_smtpd_tls_proto;
1274 char *var_smtpd_tls_eecdh;
1277 
1278 #endif
1279 
1301 
1308 
1310 
1311 #ifdef USE_TLSPROXY
1312 char *var_tlsproxy_service;
1313 
1314 #endif
1315 
1318 
1319  /*
1320  * Silly little macros.
1321  */
1322 #define STR(x) vstring_str(x)
1323 #define LEN(x) VSTRING_LEN(x)
1324 
1325  /*
1326  * EHLO keyword filter
1327  */
1328 static MAPS *ehlo_discard_maps;
1329 
1330  /*
1331  * VERP command name.
1332  */
1333 #define VERP_CMD "XVERP"
1334 #define VERP_CMD_LEN 5
1335 
1336 static NAMADR_LIST *verp_clients;
1337 
1338  /*
1339  * XCLIENT command. Access control is cached, so that XCLIENT can't override
1340  * its own access control.
1341  */
1342 static NAMADR_LIST *xclient_hosts;
1343 static int xclient_allowed; /* XXX should be SMTPD_STATE member */
1344 
1345  /*
1346  * XFORWARD command. Access control is cached.
1347  */
1348 static NAMADR_LIST *xforward_hosts;
1349 static int xforward_allowed; /* XXX should be SMTPD_STATE member */
1350 
1351  /*
1352  * Client connection and rate limiting.
1353  */
1355 static NAMADR_LIST *hogger_list;
1356 
1357  /*
1358  * Other application-specific globals.
1359  */
1361 
1362  /*
1363  * Forward declarations.
1364  */
1365 static void helo_reset(SMTPD_STATE *);
1366 static void mail_reset(SMTPD_STATE *);
1367 static void rcpt_reset(SMTPD_STATE *);
1368 static void tls_reset(SMTPD_STATE *);
1369 static void chat_reset(SMTPD_STATE *, int);
1370 
1371  /*
1372  * This filter is applied after printable().
1373  */
1374 #define NEUTER_CHARACTERS " <>()\\\";@"
1375 
1376  /*
1377  * Reasons for losing the client.
1378  */
1379 #define REASON_TIMEOUT "timeout"
1380 #define REASON_LOST_CONNECTION "lost connection"
1381 #define REASON_ERROR_LIMIT "too many errors"
1382 
1383  /*
1384  * Mail filter initialization status.
1385  */
1387 
1388 #ifdef USE_TLS
1389 
1390  /*
1391  * TLS initialization status.
1392  */
1393 static TLS_APPL_STATE *smtpd_tls_ctx;
1394 static int ask_client_cert;
1395 
1396 #endif
1397 
1398  /*
1399  * SMTP command mapping for broken clients.
1400  */
1401 static DICT *smtpd_cmd_filter;
1402 
1403 #ifdef USE_SASL_AUTH
1404 
1405  /*
1406  * SASL exceptions.
1407  */
1408 static NAMADR_LIST *sasl_exceptions_networks;
1409 
1410 /* sasl_client_exception - can we offer AUTH for this client */
1411 
1412 static int sasl_client_exception(SMTPD_STATE *state)
1413 {
1414  int match;
1415 
1416  /*
1417  * This is to work around a Netscape mail client bug where it tries to
1418  * use AUTH if available, even if user has not configured it. Returns
1419  * TRUE if AUTH should be offered in the EHLO.
1420  */
1421  if (sasl_exceptions_networks == 0)
1422  return (0);
1423 
1424  if ((match = namadr_list_match(sasl_exceptions_networks,
1425  state->name, state->addr)) == 0)
1426  match = sasl_exceptions_networks->error;
1427 
1428  if (msg_verbose)
1429  msg_info("sasl_exceptions: %s, match=%d",
1430  state->namaddr, match);
1431 
1432  return (match);
1433 }
1434 
1435 #endif
1436 
1437 /* smtpd_whatsup - gather available evidence for logging */
1438 
1439 static const char *smtpd_whatsup(SMTPD_STATE *state)
1440 {
1441  static VSTRING *buf = 0;
1442 
1443  if (buf == 0)
1444  buf = vstring_alloc(100);
1445  else
1446  VSTRING_RESET(buf);
1447  if (state->sender)
1448  vstring_sprintf_append(buf, " from=<%s>", state->sender);
1449  if (state->recipient)
1450  vstring_sprintf_append(buf, " to=<%s>", state->recipient);
1451  if (state->protocol)
1452  vstring_sprintf_append(buf, " proto=%s", state->protocol);
1453  if (state->helo_name)
1454  vstring_sprintf_append(buf, " helo=<%s>", state->helo_name);
1455  return (STR(buf));
1456 }
1457 
1458 /* collapse_args - put arguments together again */
1459 
1460 static void collapse_args(int argc, SMTPD_TOKEN *argv)
1461 {
1462  int i;
1463 
1464  for (i = 1; i < argc; i++) {
1465  vstring_strcat(argv[0].vstrval, " ");
1466  vstring_strcat(argv[0].vstrval, argv[i].strval);
1467  }
1468  argv[0].strval = STR(argv[0].vstrval);
1469 }
1470 
1471 /* check_milter_reply - process reply from Milter */
1472 
1473 static const char *check_milter_reply(SMTPD_STATE *state, const char *reply)
1474 {
1475  const char *queue_id = state->queue_id ? state->queue_id : "NOQUEUE";
1476  const char *action;
1477  const char *text;
1478 
1479  /*
1480  * The syntax of user-specified SMTP replies is checked by the Milter
1481  * module, because the replies are also used in the cleanup server.
1482  * Automatically disconnect after 421 (shutdown) reply. The Sendmail 8
1483  * Milter quarantine action is not final, so it is not included in
1484  * MILTER_SKIP_FLAGS.
1485  */
1486 #define MILTER_SKIP_FLAGS (CLEANUP_FLAG_DISCARD)
1487 
1488  switch (reply[0]) {
1489  case 'H':
1490  state->saved_flags |= CLEANUP_FLAG_HOLD;
1491  action = "milter-hold";
1492  reply = 0;
1493  text = "milter triggers HOLD action";
1494  break;
1495  case 'D':
1497  action = "milter-discard";
1498  reply = 0;
1499  text = "milter triggers DISCARD action";
1500  break;
1501  case 'S':
1502  state->error_mask |= MAIL_ERROR_POLICY;
1503  action = "milter-reject";
1504  reply = "421 4.7.0 Server closing connection";
1505  text = 0;
1506  break;
1507  case '4':
1508  case '5':
1509  state->error_mask |= MAIL_ERROR_POLICY;
1510  action = "milter-reject";
1511  text = 0;
1512  break;
1513  default:
1514  state->error_mask |= MAIL_ERROR_SOFTWARE;
1515  action = "reject";
1516  reply = "421 4.3.5 Server configuration error";
1517  text = 0;
1518  break;
1519  }
1520  msg_info("%s: %s: %s from %s: %s;%s", queue_id, action, state->where,
1521  state->namaddr, reply ? reply : text, smtpd_whatsup(state));
1522  return (reply);
1523 }
1524 
1525 /* helo_cmd - process HELO command */
1526 
1527 static int helo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
1528 {
1529  const char *err;
1530 
1531  /*
1532  * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other
1533  * than the initial greeting and any response to HELO or EHLO are
1534  * prefaced with a status code as defined in RFC 3463.
1535  */
1536  if (argc < 2) {
1537  state->error_mask |= MAIL_ERROR_PROTOCOL;
1538  smtpd_chat_reply(state, "501 Syntax: HELO hostname");
1539  return (-1);
1540  }
1541  if (argc > 2)
1542  collapse_args(argc - 1, argv + 1);
1543  if (SMTPD_STAND_ALONE(state) == 0
1544  && var_smtpd_delay_reject == 0
1545  && (err = smtpd_check_helo(state, argv[1].strval)) != 0) {
1546  smtpd_chat_reply(state, "%s", err);
1547  return (-1);
1548  }
1549 
1550  /*
1551  * XXX Sendmail compatibility: if a Milter rejects CONNECT, EHLO, or
1552  * HELO, reply with 250 except in case of 421 (disconnect). The reply
1553  * persists so it will apply to MAIL FROM and to other commands such as
1554  * AUTH, STARTTLS, and VRFY.
1555  */
1556 #define PUSH_STRING(old, curr, new) { char *old = (curr); (curr) = (new);
1557 #define POP_STRING(old, curr) (curr) = old; }
1558 
1559  if (smtpd_milters != 0
1560  && SMTPD_STAND_ALONE(state) == 0
1561  && (state->saved_flags & MILTER_SKIP_FLAGS) == 0
1562  && (err = milter_helo_event(smtpd_milters, argv[1].strval, 0)) != 0) {
1563  /* Log reject etc. with correct HELO information. */
1564  PUSH_STRING(saved_helo, state->helo_name, argv[1].strval);
1565  err = check_milter_reply(state, err);
1566  POP_STRING(saved_helo, state->helo_name);
1567  if (err != 0 && strncmp(err, "421", 3) == 0) {
1568  smtpd_chat_reply(state, "%s", err);
1569  return (-1);
1570  }
1571  }
1572  if (state->helo_name != 0)
1573  helo_reset(state);
1574  chat_reset(state, var_smtpd_hist_thrsh);
1575  mail_reset(state);
1576  rcpt_reset(state);
1577  state->helo_name = mystrdup(printable(argv[1].strval, '?'));
1578  neuter(state->helo_name, NEUTER_CHARACTERS, '?');
1579  /* Downgrading the protocol name breaks the unauthorized pipelining test. */
1580  if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
1581  && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) {
1582  myfree(state->protocol);
1583  state->protocol = mystrdup(MAIL_PROTO_SMTP);
1584  }
1585  smtpd_chat_reply(state, "250 %s", var_myhostname);
1586  return (0);
1587 }
1588 
1589 /* cant_announce_feature - explain and terminate this session */
1590 
1591 static NORETURN cant_announce_feature(SMTPD_STATE *state, const char *feature)
1592 {
1593  msg_warn("don't know if EHLO feature %s should be announced to %s",
1594  feature, state->namaddr);
1596 }
1597 
1598 /* cant_permit_command - explain and terminate this session */
1599 
1600 static NORETURN cant_permit_command(SMTPD_STATE *state, const char *command)
1601 {
1602  msg_warn("don't know if command %s should be allowed from %s",
1603  command, state->namaddr);
1605 }
1606 
1607 /* ehlo_cmd - process EHLO command */
1608 
1609 static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
1610 {
1611  const char *err;
1612  int discard_mask;
1613  char **cpp;
1614 
1615  /*
1616  * XXX 2821 new feature: Section 4.1.4 specifies that a server must clear
1617  * all buffers and reset the state exactly as if a RSET command had been
1618  * issued.
1619  *
1620  * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other
1621  * than the initial greeting and any response to HELO or EHLO are
1622  * prefaced with a status code as defined in RFC 3463.
1623  */
1624  if (argc < 2) {
1625  state->error_mask |= MAIL_ERROR_PROTOCOL;
1626  smtpd_chat_reply(state, "501 Syntax: EHLO hostname");
1627  return (-1);
1628  }
1629  if (argc > 2)
1630  collapse_args(argc - 1, argv + 1);
1631  if (SMTPD_STAND_ALONE(state) == 0
1632  && var_smtpd_delay_reject == 0
1633  && (err = smtpd_check_helo(state, argv[1].strval)) != 0) {
1634  smtpd_chat_reply(state, "%s", err);
1635  return (-1);
1636  }
1637 
1638  /*
1639  * XXX Sendmail compatibility: if a Milter 5xx rejects CONNECT, EHLO, or
1640  * HELO, reply with ENHANCEDSTATUSCODES except in case of immediate
1641  * disconnect. The reply persists so it will apply to MAIL FROM and to
1642  * other commands such as AUTH, STARTTLS, and VRFY.
1643  */
1644  err = 0;
1645  if (smtpd_milters != 0
1646  && SMTPD_STAND_ALONE(state) == 0
1647  && (state->saved_flags & MILTER_SKIP_FLAGS) == 0
1648  && (err = milter_helo_event(smtpd_milters, argv[1].strval, 1)) != 0) {
1649  /* Log reject etc. with correct HELO information. */
1650  PUSH_STRING(saved_helo, state->helo_name, argv[1].strval);
1651  err = check_milter_reply(state, err);
1652  POP_STRING(saved_helo, state->helo_name);
1653  if (err != 0 && strncmp(err, "421", 3) == 0) {
1654  smtpd_chat_reply(state, "%s", err);
1655  return (-1);
1656  }
1657  }
1658  if (state->helo_name != 0)
1659  helo_reset(state);
1660  chat_reset(state, var_smtpd_hist_thrsh);
1661  mail_reset(state);
1662  rcpt_reset(state);
1663  state->helo_name = mystrdup(printable(argv[1].strval, '?'));
1664  neuter(state->helo_name, NEUTER_CHARACTERS, '?');
1665 
1666  /*
1667  * XXX reject_unauth_pipelining depends on the following. If the user
1668  * sends EHLO then we announce PIPELINING and we can't accuse them of
1669  * using pipelining in places where it is allowed.
1670  *
1671  * XXX The reject_unauth_pipelining test needs to change and also account
1672  * for mechanisms that disable PIPELINING selectively.
1673  */
1674  if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0) {
1675  myfree(state->protocol);
1677  }
1678 
1679  /*
1680  * Build the EHLO response, producing no output until we know what to
1681  * send - this simplifies exception handling. The CRLF record boundaries
1682  * don't exist at this level in the code, so we represent multi-line
1683  * output as an array of single-line responses.
1684  */
1685 #define EHLO_APPEND(state, cmd) \
1686  do { \
1687  vstring_sprintf((state)->ehlo_buf, (cmd)); \
1688  argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \
1689  } while (0)
1690 
1691 #define EHLO_APPEND1(state, cmd, arg) \
1692  do { \
1693  vstring_sprintf((state)->ehlo_buf, (cmd), (arg)); \
1694  argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \
1695  } while (0)
1696 
1697  /*
1698  * XXX Sendmail compatibility: if a Milter 5XX rejects CONNECT, EHLO, or
1699  * HELO, reply with ENHANCEDSTATUSCODES only. The reply persists so it
1700  * will apply to MAIL FROM, but we currently don't have a proper
1701  * mechanism to apply Milter rejects to AUTH, STARTTLS, VRFY, and other
1702  * commands while still allowing HELO/EHLO.
1703  */
1704  discard_mask = state->ehlo_discard_mask;
1705  if (err != 0 && err[0] == '5')
1706  discard_mask |= ~EHLO_MASK_ENHANCEDSTATUSCODES;
1707  if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0)
1708  if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
1709  msg_info("discarding EHLO keywords: %s", str_ehlo_mask(discard_mask));
1710  if (ehlo_discard_maps && ehlo_discard_maps->error) {
1711  msg_warn("don't know what EHLO features to announce to %s",
1712  state->namaddr);
1714  }
1715 
1716  /*
1717  * These may still exist after a prior exception.
1718  */
1719  if (state->ehlo_argv == 0) {
1720  state->ehlo_argv = argv_alloc(10);
1721  state->ehlo_buf = vstring_alloc(10);
1722  } else
1723  argv_truncate(state->ehlo_argv, 0);
1724 
1725  EHLO_APPEND1(state, "%s", var_myhostname);
1726  if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
1727  EHLO_APPEND(state, "PIPELINING");
1728  if ((discard_mask & EHLO_MASK_SIZE) == 0) {
1729  if (var_message_limit)
1730  EHLO_APPEND1(state, "SIZE %lu",
1731  (unsigned long) var_message_limit); /* XXX */
1732  else
1733  EHLO_APPEND(state, "SIZE");
1734  }
1735  if ((discard_mask & EHLO_MASK_VRFY) == 0)
1736  if (var_disable_vrfy_cmd == 0)
1737  EHLO_APPEND(state, SMTPD_CMD_VRFY);
1738  if ((discard_mask & EHLO_MASK_ETRN) == 0)
1739  EHLO_APPEND(state, SMTPD_CMD_ETRN);
1740 #ifdef USE_TLS
1741  if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
1742  if (var_smtpd_use_tls && (!state->tls_context))
1744 #endif
1745 #ifdef USE_SASL_AUTH
1746 #ifndef AUTH_CMD
1747 #define AUTH_CMD "AUTH"
1748 #endif
1749  if ((discard_mask & EHLO_MASK_AUTH) == 0) {
1750  if (smtpd_sasl_is_active(state) && !sasl_client_exception(state)) {
1751  EHLO_APPEND1(state, "AUTH %s", state->sasl_mechanism_list);
1753  EHLO_APPEND1(state, "AUTH=%s", state->sasl_mechanism_list);
1754  } else if (sasl_exceptions_networks && sasl_exceptions_networks->error)
1755  cant_announce_feature(state, AUTH_CMD);
1756  }
1757 #define XCLIENT_LOGIN_KLUDGE " " XCLIENT_LOGIN
1758 #else
1759 #define XCLIENT_LOGIN_KLUDGE ""
1760 #endif
1761  if ((discard_mask & EHLO_MASK_VERP) == 0) {
1762  if (namadr_list_match(verp_clients, state->name, state->addr))
1763  EHLO_APPEND(state, VERP_CMD);
1764  else if (verp_clients && verp_clients->error)
1765  cant_announce_feature(state, VERP_CMD);
1766  }
1767  /* XCLIENT must not override its own access control. */
1768  if ((discard_mask & EHLO_MASK_XCLIENT) == 0) {
1769  if (xclient_allowed)
1770  EHLO_APPEND(state, XCLIENT_CMD
1771  " " XCLIENT_NAME " " XCLIENT_ADDR
1772  " " XCLIENT_PROTO " " XCLIENT_HELO
1775  else if (xclient_hosts && xclient_hosts->error)
1776  cant_announce_feature(state, XCLIENT_CMD);
1777  }
1778  if ((discard_mask & EHLO_MASK_XFORWARD) == 0) {
1779  if (xforward_allowed)
1780  EHLO_APPEND(state, XFORWARD_CMD
1784  " " XFORWARD_IDENT);
1785  else if (xforward_hosts && xforward_hosts->error)
1786  cant_announce_feature(state, XFORWARD_CMD);
1787  }
1788  if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0)
1789  EHLO_APPEND(state, "ENHANCEDSTATUSCODES");
1790  if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
1791  EHLO_APPEND(state, "8BITMIME");
1792  if ((discard_mask & EHLO_MASK_DSN) == 0)
1793  EHLO_APPEND(state, "DSN");
1794 
1795  /*
1796  * Send the reply.
1797  */
1798  for (cpp = state->ehlo_argv->argv; *cpp; cpp++)
1799  smtpd_chat_reply(state, "250%c%s", cpp[1] ? '-' : ' ', *cpp);
1800 
1801  /*
1802  * Clean up.
1803  */
1804  argv_free(state->ehlo_argv);
1805  state->ehlo_argv = 0;
1806  vstring_free(state->ehlo_buf);
1807  state->ehlo_buf = 0;
1808 
1809  return (0);
1810 }
1811 
1812 /* helo_reset - reset HELO/EHLO command stuff */
1813 
1814 static void helo_reset(SMTPD_STATE *state)
1815 {
1816  if (state->helo_name) {
1817  myfree(state->helo_name);
1818  state->helo_name = 0;
1819  if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0)
1820  milter_abort(smtpd_milters);
1821  }
1822  if (state->ehlo_argv) {
1823  argv_free(state->ehlo_argv);
1824  state->ehlo_argv = 0;
1825  }
1826  if (state->ehlo_buf) {
1827  vstring_free(state->ehlo_buf);
1828  state->ehlo_buf = 0;
1829  }
1830 }
1831 
1832 /* mail_open_stream - open mail queue file or IPC stream */
1833 
1834 static int mail_open_stream(SMTPD_STATE *state)
1835 {
1836 
1837  /*
1838  * Connect to the before-queue filter when one is configured. The MAIL
1839  * FROM and RCPT TO commands are forwarded as received (including DSN
1840  * attributes), with the exception that the before-filter smtpd process
1841  * handles all authentication, encryption, access control and relay
1842  * control, and that the before-filter smtpd process does not forward
1843  * blocked commands. If the after-filter smtp server does not support
1844  * some of Postfix's ESMTP features, then they must be turned off in the
1845  * before-filter smtpd process with the smtpd_discard_ehlo_keywords
1846  * feature.
1847  */
1848  if (state->proxy_mail) {
1851  state->proxy_mail) != 0) {
1852  smtpd_chat_reply(state, "%s", STR(state->proxy->reply));
1853  smtpd_proxy_free(state);
1854  return (-1);
1855  }
1856  }
1857 
1858  /*
1859  * If running from the master or from inetd, connect to the cleanup
1860  * service.
1861  *
1862  * XXX 2821: An SMTP server is not allowed to "clean up" mail except in the
1863  * case of original submissions.
1864  *
1865  * We implement this by distinguishing between mail that we are willing to
1866  * rewrite (the local rewrite context) and mail from elsewhere.
1867  */
1868  else if (SMTPD_STAND_ALONE(state) == 0) {
1869  int cleanup_flags;
1870 
1876  if (state->dest == 0
1877  || attr_print(state->dest->stream, ATTR_FLAG_NONE,
1878  ATTR_TYPE_INT, MAIL_ATTR_FLAGS, cleanup_flags,
1879  ATTR_TYPE_END) != 0)
1880  msg_fatal("unable to connect to the %s %s service",
1882  }
1883 
1884  /*
1885  * Otherwise, pipe the message through the privileged postdrop helper.
1886  * XXX Make postdrop a manifest constant.
1887  */
1888  else {
1889  char *postdrop_command;
1890 
1891  postdrop_command = concatenate(var_command_dir, "/postdrop",
1892  msg_verbose ? " -v" : (char *) 0, (char *) 0);
1893  state->dest = mail_stream_command(postdrop_command);
1894  if (state->dest == 0)
1895  msg_fatal("unable to execute %s", postdrop_command);
1896  myfree(postdrop_command);
1897  }
1898 
1899  /*
1900  * Record the time of arrival, the SASL-related stuff if applicable, the
1901  * sender envelope address, some session information, and some additional
1902  * attributes.
1903  *
1904  * XXX Send Milter information first, because this will hang when cleanup
1905  * goes into "throw away" mode. Also, cleanup needs to know early on
1906  * whether or not it has to do its own SMTP event emulation.
1907  *
1908  * XXX At this point we send only dummy information to keep the cleanup
1909  * server from using its non_smtpd_milters settings. We have to send
1910  * up-to-date Milter information after DATA so that the cleanup server
1911  * knows the actual Milter state.
1912  */
1913  if (state->dest) {
1914  state->cleanup = state->dest->stream;
1915  state->queue_id = mystrdup(state->dest->id);
1916  if (SMTPD_STAND_ALONE(state) == 0) {
1917  if (smtpd_milters != 0
1918  && (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
1919  /* Send place-holder smtpd_milters list. */
1920  (void) milter_dummy(smtpd_milters, state->cleanup);
1923  if (*var_filter_xport)
1925  if (FORWARD_IDENT(state))
1926  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1928  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1930 #ifdef USE_SASL_AUTH
1931  /* Make external authentication painless (e.g., XCLIENT). */
1932  if (state->sasl_method)
1933  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1934  MAIL_ATTR_SASL_METHOD, state->sasl_method);
1935  if (state->sasl_username)
1936  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1937  MAIL_ATTR_SASL_USERNAME, state->sasl_username);
1938  if (state->sasl_sender)
1939  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1940  MAIL_ATTR_SASL_SENDER, state->sasl_sender);
1941 #endif
1942 
1943  /*
1944  * Record DSN related information that was received with the MAIL
1945  * FROM command.
1946  *
1947  * RFC 3461 Section 5.2.1. If no ENVID parameter was included in the
1948  * MAIL command when the message was received, the ENVID
1949  * parameter MUST NOT be supplied when the message is relayed.
1950  * Ditto for the RET parameter.
1951  *
1952  * In other words, we can't simply make up our default ENVID or RET
1953  * values. We have to remember whether the client sent any.
1954  *
1955  * We store DSN information as named attribute records so that we
1956  * don't have to pollute the queue file with records that are
1957  * incompatible with past Postfix versions. Preferably, people
1958  * should be able to back out from an upgrade without losing
1959  * mail.
1960  */
1961  if (state->dsn_envid)
1962  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1963  MAIL_ATTR_DSN_ENVID, state->dsn_envid);
1964  if (state->dsn_ret)
1965  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
1966  MAIL_ATTR_DSN_RET, state->dsn_ret);
1967  }
1968  rec_fputs(state->cleanup, REC_TYPE_FROM, state->sender);
1969  if (state->encoding != 0)
1970  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1971  MAIL_ATTR_ENCODING, state->encoding);
1972 
1973  /*
1974  * Store client attributes.
1975  */
1976  if (SMTPD_STAND_ALONE(state) == 0) {
1977 
1978  /*
1979  * Attributes for logging, also used for XFORWARD.
1980  *
1981  * We store all client attributes, including ones with unknown
1982  * values. Otherwise, an unknown client hostname would be treated
1983  * as a non-existent hostname (i.e. local submission).
1984  */
1985  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1987  /* XXX Note: state->rfc_addr, not state->addr. */
1988  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1990  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1992  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1994  if (FORWARD_HELO(state))
1995  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1997  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1999 
2000  /*
2001  * Attributes with actual client information. These are used by
2002  * the smtpd Milter client for policy decisions. Mail that is
2003  * requeued with "postsuper -r" is not subject to processing by
2004  * the cleanup Milter client, because a) it has already been
2005  * filtered, and b) we don't have sufficient information to
2006  * reproduce the exact same SMTP events and Sendmail macros that
2007  * the smtpd Milter client received when the message originally
2008  * arrived in Postfix.
2009  */
2010  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2012  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2014  /* XXX Note: state->addr, not state->rfc_addr. */
2015  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2017  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2019  if (state->helo_name)
2020  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2022  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2024  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%u",
2026 
2027  /*
2028  * Don't send client certificate down the pipeline unless it is
2029  * a) verified or b) just a fingerprint.
2030  */
2031  }
2032  if (state->verp_delims)
2033  rec_fputs(state->cleanup, REC_TYPE_VERP, state->verp_delims);
2034  }
2035 
2036  /*
2037  * Log the queue ID with the message origin.
2038  */
2039 #ifdef USE_SASL_AUTH
2040  if (state->sasl_username)
2041  smtpd_sasl_mail_log(state);
2042  else
2043 #endif
2044 
2045  /*
2046  * See also: smtpd_sasl_proto.c, for a longer client= logfile record.
2047  */
2048 #define PRINT_OR_NULL(cond, str) \
2049  ((cond) ? (str) : "")
2050 #define PRINT2_OR_NULL(cond, name, value) \
2051  PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
2052 
2053  msg_info("%s: client=%s%s%s%s%s",
2054  (state->queue_id ? state->queue_id : "NOQUEUE"),
2055  state->namaddr,
2057  ", orig_queue_id=", FORWARD_IDENT(state)),
2059  ", orig_client=", FORWARD_NAMADDR(state)));
2060  return (0);
2061 }
2062 
2063 /* extract_addr - extract address from rubble */
2064 
2065 static int extract_addr(SMTPD_STATE *state, SMTPD_TOKEN *arg,
2066  int allow_empty_addr, int strict_rfc821)
2067 {
2068  const char *myname = "extract_addr";
2069  TOK822 *tree;
2070  TOK822 *tp;
2071  TOK822 *addr = 0;
2072  int naddr;
2073  int non_addr;
2074  int err = 0;
2075  char *junk = 0;
2076  char *text;
2077  char *colon;
2078 
2079  /*
2080  * Special case.
2081  */
2082 #define PERMIT_EMPTY_ADDR 1
2083 #define REJECT_EMPTY_ADDR 0
2084 
2085  /*
2086  * Some mailers send RFC822-style address forms (with comments and such)
2087  * in SMTP envelopes. We cannot blame users for this: the blame is with
2088  * programmers violating the RFC, and with sendmail for being permissive.
2089  *
2090  * XXX The SMTP command tokenizer must leave the address in externalized
2091  * (quoted) form, so that the address parser can correctly extract the
2092  * address from surrounding junk.
2093  *
2094  * XXX We have only one address parser, written according to the rules of
2095  * RFC 822. That standard differs subtly from RFC 821.
2096  */
2097  if (msg_verbose)
2098  msg_info("%s: input: %s", myname, STR(arg->vstrval));
2099  if (STR(arg->vstrval)[0] == '<'
2100  && STR(arg->vstrval)[LEN(arg->vstrval) - 1] == '>') {
2101  junk = text = mystrndup(STR(arg->vstrval) + 1, LEN(arg->vstrval) - 2);
2102  } else
2103  text = STR(arg->vstrval);
2104 
2105  /*
2106  * Truncate deprecated route address form.
2107  */
2108  if (*text == '@' && (colon = strchr(text, ':')) != 0)
2109  text = colon + 1;
2110  tree = tok822_parse(text);
2111 
2112  if (junk)
2113  myfree(junk);
2114 
2115  /*
2116  * Find trouble.
2117  */
2118  for (naddr = non_addr = 0, tp = tree; tp != 0; tp = tp->next) {
2119  if (tp->type == TOK822_ADDR) {
2120  addr = tp;
2121  naddr += 1; /* count address forms */
2122  } else if (tp->type == '<' || tp->type == '>') {
2123  /* void */ ; /* ignore brackets */
2124  } else {
2125  non_addr += 1; /* count non-address forms */
2126  }
2127  }
2128 
2129  /*
2130  * Report trouble. XXX Should log a warning only if we are going to
2131  * sleep+reject so that attackers can't flood our logfiles.
2132  *
2133  * XXX Unfortunately, the sleep-before-reject feature had to be abandoned
2134  * (at least for small error counts) because servers were DOS-ing
2135  * themselves when flooded by backscatter traffic.
2136  */
2137  if (naddr > 1
2138  || (strict_rfc821 && (non_addr || *STR(arg->vstrval) != '<'))) {
2139  msg_warn("Illegal address syntax from %s in %s command: %s",
2140  state->namaddr, state->where,
2141  printable(STR(arg->vstrval), '?'));
2142  err = 1;
2143  }
2144 
2145  /*
2146  * Don't overwrite the input with the extracted address. We need the
2147  * original (external) form in case the client does not send ORCPT
2148  * information; and error messages are more accurate if we log the
2149  * unmodified form. We need the internal form for all other purposes.
2150  */
2151  if (addr)
2153  else
2154  vstring_strcpy(state->addr_buf, "");
2155 
2156  /*
2157  * Report trouble. XXX Should log a warning only if we are going to
2158  * sleep+reject so that attackers can't flood our logfiles. Log the
2159  * original address.
2160  */
2161  if (err == 0)
2162  if ((STR(state->addr_buf)[0] == 0 && !allow_empty_addr)
2163  || (strict_rfc821 && STR(state->addr_buf)[0] == '@')
2164  || (SMTPD_STAND_ALONE(state) == 0
2165  && smtpd_check_addr(STR(state->addr_buf)) != 0)) {
2166  msg_warn("Illegal address syntax from %s in %s command: %s",
2167  state->namaddr, state->where,
2168  printable(STR(arg->vstrval), '?'));
2169  err = 1;
2170  }
2171 
2172  /*
2173  * Cleanup.
2174  */
2175  tok822_free_tree(tree);
2176  if (msg_verbose)
2177  msg_info("%s: in: %s, result: %s",
2178  myname, STR(arg->vstrval), STR(state->addr_buf));
2179  return (err);
2180 }
2181 
2182 /* milter_argv - impedance adapter */
2183 
2184 static const char **milter_argv(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2185 {
2186  int n;
2187  ssize_t len = argc + 1;
2188 
2189  if (state->milter_argc < len) {
2190  if (state->milter_argc > 0)
2191  state->milter_argv = (const char **)
2192  myrealloc((char *) state->milter_argv,
2193  sizeof(const char *) * len);
2194  else
2195  state->milter_argv = (const char **)
2196  mymalloc(sizeof(const char *) * len);
2197  state->milter_argc = len;
2198  }
2199  for (n = 0; n < argc; n++)
2200  state->milter_argv[n] = argv[n].strval;
2201  state->milter_argv[n] = 0;
2202  return (state->milter_argv);
2203 }
2204 
2205 /* mail_cmd - process MAIL command */
2206 
2207 static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2208 {
2209  const char *err;
2210  int narg;
2211  char *arg;
2212  char *verp_delims = 0;
2213  int rate;
2214  int dsn_envid = 0;
2215 
2216  state->encoding = 0;
2217  state->dsn_ret = 0;
2218 
2219  /*
2220  * Sanity checks.
2221  *
2222  * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a
2223  * command in which invalid character codes have been employed, and for
2224  * which there are no other reasons for rejection, MUST reject that
2225  * command with a 501 response. Postfix attempts to be 8-bit clean.
2226  */
2227  if (var_helo_required && state->helo_name == 0) {
2228  state->error_mask |= MAIL_ERROR_POLICY;
2229  smtpd_chat_reply(state, "503 5.5.1 Error: send HELO/EHLO first");
2230  return (-1);
2231  }
2232  if (SMTPD_IN_MAIL_TRANSACTION(state)) {
2233  state->error_mask |= MAIL_ERROR_PROTOCOL;
2234  smtpd_chat_reply(state, "503 5.5.1 Error: nested MAIL command");
2235  return (-1);
2236  }
2237  if (argc < 3
2238  || strcasecmp(argv[1].strval, "from:") != 0) {
2239  state->error_mask |= MAIL_ERROR_PROTOCOL;
2240  smtpd_chat_reply(state, "501 5.5.4 Syntax: MAIL FROM:<address>");
2241  return (-1);
2242  }
2243 
2244  /*
2245  * XXX The client event count/rate control must be consistent in its use
2246  * of client address information in connect and disconnect events. For
2247  * now we exclude xclient authorized hosts from event count/rate control.
2248  */
2249  if (SMTPD_STAND_ALONE(state) == 0
2250  && !xclient_allowed
2251  && anvil_clnt
2252  && var_smtpd_cmail_limit > 0
2253  && !namadr_list_match(hogger_list, state->name, state->addr)
2254  && anvil_clnt_mail(anvil_clnt, state->service, state->addr,
2255  &rate) == ANVIL_STAT_OK
2256  && rate > var_smtpd_cmail_limit) {
2257  state->error_mask |= MAIL_ERROR_POLICY;
2258  smtpd_chat_reply(state, "450 4.7.1 Error: too much mail from %s",
2259  state->addr);
2260  msg_warn("Message delivery request rate limit exceeded: %d from %s for service %s",
2261  rate, state->namaddr, state->service);
2262  return (-1);
2263  }
2264  if (argv[2].tokval == SMTPD_TOK_ERROR) {
2265  state->error_mask |= MAIL_ERROR_PROTOCOL;
2266  smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax");
2267  return (-1);
2268  }
2269  if (extract_addr(state, argv + 2, PERMIT_EMPTY_ADDR, var_strict_rfc821_env) != 0) {
2270  state->error_mask |= MAIL_ERROR_PROTOCOL;
2271  smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax");
2272  return (-1);
2273  }
2274  for (narg = 3; narg < argc; narg++) {
2275  arg = argv[narg].strval;
2276  if (strcasecmp(arg, "BODY=8BITMIME") == 0) { /* RFC 1652 */
2277  state->encoding = MAIL_ATTR_ENC_8BIT;
2278  } else if (strcasecmp(arg, "BODY=7BIT") == 0) { /* RFC 1652 */
2279  state->encoding = MAIL_ATTR_ENC_7BIT;
2280  } else if (strncasecmp(arg, "SIZE=", 5) == 0) { /* RFC 1870 */
2281  /* Reject non-numeric size. */
2282  if (!alldig(arg + 5)) {
2283  state->error_mask |= MAIL_ERROR_PROTOCOL;
2284  smtpd_chat_reply(state, "501 5.5.4 Bad message size syntax");
2285  return (-1);
2286  }
2287  /* Reject size overflow. */
2288  if ((state->msg_size = off_cvt_string(arg + 5)) < 0) {
2289  state->error_mask |= MAIL_ERROR_POLICY;
2290  smtpd_chat_reply(state, "552 5.3.4 Message size exceeds file system imposed limit");
2291  return (-1);
2292  }
2293 #ifdef USE_SASL_AUTH
2294  } else if (strncasecmp(arg, "AUTH=", 5) == 0) {
2295  if ((err = smtpd_sasl_mail_opt(state, arg + 5)) != 0) {
2296  smtpd_chat_reply(state, "%s", err);
2297  return (-1);
2298  }
2299 #endif
2300  } else if (namadr_list_match(verp_clients, state->name, state->addr)
2301  && strncasecmp(arg, VERP_CMD, VERP_CMD_LEN) == 0
2302  && (arg[VERP_CMD_LEN] == '=' || arg[VERP_CMD_LEN] == 0)) {
2303  if (arg[VERP_CMD_LEN] == 0) {
2304  verp_delims = var_verp_delims;
2305  } else {
2306  verp_delims = arg + VERP_CMD_LEN + 1;
2307  if (verp_delims_verify(verp_delims) != 0) {
2308  state->error_mask |= MAIL_ERROR_PROTOCOL;
2309  smtpd_chat_reply(state,
2310  "501 5.5.4 Error: %s needs two characters from %s",
2312  return (-1);
2313  }
2314  }
2315  } else if (strncasecmp(arg, "RET=", 4) == 0) { /* RFC 3461 */
2316  /* Sanitized on input. */
2317  if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2318  state->error_mask |= MAIL_ERROR_PROTOCOL;
2319  smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2320  return (-1);
2321  }
2322  if (state->dsn_ret
2323  || (state->dsn_ret = dsn_ret_code(arg + 4)) == 0) {
2324  state->error_mask |= MAIL_ERROR_PROTOCOL;
2325  smtpd_chat_reply(state,
2326  "501 5.5.4 Bad RET parameter syntax");
2327  return (-1);
2328  }
2329  } else if (strncasecmp(arg, "ENVID=", 6) == 0) { /* RFC 3461 */
2330  /* Sanitized by bounce server. */
2331  if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2332  state->error_mask |= MAIL_ERROR_PROTOCOL;
2333  smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2334  return (-1);
2335  }
2336  if (dsn_envid
2337  || xtext_unquote(state->dsn_buf, arg + 6) == 0
2338  || !allprint(STR(state->dsn_buf))) {
2339  state->error_mask |= MAIL_ERROR_PROTOCOL;
2340  smtpd_chat_reply(state, "501 5.5.4 Bad ENVID parameter syntax");
2341  return (-1);
2342  }
2343  dsn_envid = 1;
2344  } else {
2345  state->error_mask |= MAIL_ERROR_PROTOCOL;
2346  smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg);
2347  return (-1);
2348  }
2349  }
2350  if ((err = smtpd_check_size(state, state->msg_size)) != 0) {
2351  smtpd_chat_reply(state, "%s", err);
2352  return (-1);
2353  }
2354  if (verp_delims && STR(state->addr_buf)[0] == 0) {
2355  smtpd_chat_reply(state, "503 5.5.4 Error: %s requires non-null sender",
2356  VERP_CMD);
2357  return (-1);
2358  }
2359  if (SMTPD_STAND_ALONE(state) == 0) {
2360  const char *verify_sender;
2361 
2362  /*
2363  * XXX Don't reject the address when we're probed with our own
2364  * address verification sender address. Otherwise, some timeout or
2365  * some UCE block may result in mutual negative caching, making it
2366  * painful to get the mail through. Unfortunately we still have to
2367  * send the address to the Milters otherwise they may bail out with a
2368  * "missing recipient" protocol error.
2369  */
2370  verify_sender = valid_verify_sender_addr(STR(state->addr_buf));
2371  if (verify_sender != 0)
2372  vstring_strcpy(state->addr_buf, verify_sender);
2373  }
2374  if (SMTPD_STAND_ALONE(state) == 0
2375  && var_smtpd_delay_reject == 0
2376  && (err = smtpd_check_mail(state, STR(state->addr_buf))) != 0) {
2377  /* XXX Reset access map side effects. */
2378  mail_reset(state);
2379  smtpd_chat_reply(state, "%s", err);
2380  return (-1);
2381  }
2382  if (smtpd_milters != 0
2383  && SMTPD_STAND_ALONE(state) == 0
2384  && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) {
2385  PUSH_STRING(saved_sender, state->sender, STR(state->addr_buf));
2386  err = milter_mail_event(smtpd_milters,
2387  milter_argv(state, argc - 2, argv + 2));
2388  if (err != 0) {
2389  /* Log reject etc. with correct sender information. */
2390  err = check_milter_reply(state, err);
2391  }
2392  POP_STRING(saved_sender, state->sender);
2393  if (err != 0) {
2394  /* XXX Reset access map side effects. */
2395  mail_reset(state);
2396  smtpd_chat_reply(state, "%s", err);
2397  return (-1);
2398  }
2399  }
2400  if (SMTPD_STAND_ALONE(state) == 0) {
2401  err = smtpd_check_rewrite(state);
2402  if (err != 0) {
2403  /* XXX Reset access map side effects. */
2404  mail_reset(state);
2405  smtpd_chat_reply(state, "%s", err);
2406  return (-1);
2407  }
2408  }
2409 
2410  /*
2411  * Check the queue file space, if applicable. The optional before-filter
2412  * speed-adjust buffers use disk space. However, we don't know if they
2413  * compete for storage space with the after-filter queue, so we can't
2414  * simply bump up the free space requirement to 2.5 * message_size_limit.
2415  */
2416  if (!USE_SMTPD_PROXY(state)
2418  if (SMTPD_STAND_ALONE(state) == 0
2419  && (err = smtpd_check_queue(state)) != 0) {
2420  /* XXX Reset access map side effects. */
2421  mail_reset(state);
2422  smtpd_chat_reply(state, "%s", err);
2423  return (-1);
2424  }
2425  }
2426 
2427  /*
2428  * No more early returns. The mail transaction is in progress.
2429  */
2430  GETTIMEOFDAY(&state->arrival_time);
2431  state->sender = mystrdup(STR(state->addr_buf));
2432  vstring_sprintf(state->instance, "%x.%lx.%lx.%x",
2433  var_pid, (unsigned long) state->arrival_time.tv_sec,
2434  (unsigned long) state->arrival_time.tv_usec, state->seqno++);
2435  if (verp_delims)
2436  state->verp_delims = mystrdup(verp_delims);
2437  if (dsn_envid)
2438  state->dsn_envid = mystrdup(STR(state->dsn_buf));
2439  if (USE_SMTPD_PROXY(state))
2440  state->proxy_mail = mystrdup(STR(state->buffer));
2441  if (var_smtpd_delay_open == 0 && mail_open_stream(state) < 0) {
2442  /* XXX Reset access map side effects. */
2443  mail_reset(state);
2444  return (-1);
2445  }
2446  smtpd_chat_reply(state, "250 2.1.0 Ok");
2447  return (0);
2448 }
2449 
2450 /* mail_reset - reset MAIL command stuff */
2451 
2452 static void mail_reset(SMTPD_STATE *state)
2453 {
2454  state->msg_size = 0;
2455  state->act_size = 0;
2456  state->flags &= SMTPD_MASK_MAIL_KEEP;
2457 
2458  /*
2459  * Unceremoniously close the pipe to the cleanup service. The cleanup
2460  * service will delete the queue file when it detects a premature
2461  * end-of-file condition on input.
2462  */
2463  if (state->cleanup != 0) {
2464  mail_stream_cleanup(state->dest);
2465  state->dest = 0;
2466  state->cleanup = 0;
2467  }
2468  state->err = 0;
2469  if (state->queue_id != 0) {
2470  myfree(state->queue_id);
2471  state->queue_id = 0;
2472  }
2473  if (state->sender) {
2474  if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0)
2475  milter_abort(smtpd_milters);
2476  myfree(state->sender);
2477  state->sender = 0;
2478  }
2479  if (state->verp_delims) {
2480  myfree(state->verp_delims);
2481  state->verp_delims = 0;
2482  }
2483  if (state->proxy_mail) {
2484  myfree(state->proxy_mail);
2485  state->proxy_mail = 0;
2486  }
2487  if (state->saved_filter) {
2488  myfree(state->saved_filter);
2489  state->saved_filter = 0;
2490  }
2491  if (state->saved_redirect) {
2492  myfree(state->saved_redirect);
2493  state->saved_redirect = 0;
2494  }
2495  if (state->saved_bcc) {
2496  myfree(state->saved_bcc);
2497  state->saved_bcc = 0;
2498  }
2499  state->saved_flags = 0;
2500 #ifdef DELAY_ACTION
2501  state->saved_delay = 0;
2502 #endif
2503 #ifdef USE_SASL_AUTH
2504  if (state->sasl_sender)
2505  smtpd_sasl_mail_reset(state);
2506 #endif
2507  state->discard = 0;
2508  VSTRING_RESET(state->instance);
2509  VSTRING_TERMINATE(state->instance);
2510 
2511  if (state->proxy)
2512  smtpd_proxy_free(state);
2513  if (state->xforward.flags)
2514  smtpd_xforward_reset(state);
2515  if (state->prepend)
2516  state->prepend = argv_free(state->prepend);
2517  if (state->dsn_envid) {
2518  myfree(state->dsn_envid);
2519  state->dsn_envid = 0;
2520  }
2521  if (state->milter_argv) {
2522  myfree((char *) state->milter_argv);
2523  state->milter_argv = 0;
2524  state->milter_argc = 0;
2525  }
2526 }
2527 
2528 /* rcpt_cmd - process RCPT TO command */
2529 
2530 static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2531 {
2532  SMTPD_PROXY *proxy;
2533  const char *err;
2534  int narg;
2535  char *arg;
2536  int rate;
2537  const char *dsn_orcpt_addr = 0;
2538  ssize_t dsn_orcpt_addr_len = 0;
2539  const char *dsn_orcpt_type = 0;
2540  int dsn_notify = 0;
2541  const char *coded_addr;
2542  const char *milter_err;
2543 
2544  /*
2545  * Sanity checks.
2546  *
2547  * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a
2548  * command in which invalid character codes have been employed, and for
2549  * which there are no other reasons for rejection, MUST reject that
2550  * command with a 501 response. So much for the principle of "be liberal
2551  * in what you accept, be strict in what you send".
2552  */
2553  if (!SMTPD_IN_MAIL_TRANSACTION(state)) {
2554  state->error_mask |= MAIL_ERROR_PROTOCOL;
2555  smtpd_chat_reply(state, "503 5.5.1 Error: need MAIL command");
2556  return (-1);
2557  }
2558  if (argc < 3
2559  || strcasecmp(argv[1].strval, "to:") != 0) {
2560  state->error_mask |= MAIL_ERROR_PROTOCOL;
2561  smtpd_chat_reply(state, "501 5.5.4 Syntax: RCPT TO:<address>");
2562  return (-1);
2563  }
2564 
2565  /*
2566  * XXX The client event count/rate control must be consistent in its use
2567  * of client address information in connect and disconnect events. For
2568  * now we exclude xclient authorized hosts from event count/rate control.
2569  */
2570  if (SMTPD_STAND_ALONE(state) == 0
2571  && !xclient_allowed
2572  && anvil_clnt
2573  && var_smtpd_crcpt_limit > 0
2574  && !namadr_list_match(hogger_list, state->name, state->addr)
2575  && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr,
2576  &rate) == ANVIL_STAT_OK
2577  && rate > var_smtpd_crcpt_limit) {
2578  state->error_mask |= MAIL_ERROR_POLICY;
2579  msg_warn("Recipient address rate limit exceeded: %d from %s for service %s",
2580  rate, state->namaddr, state->service);
2581  smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s",
2582  state->addr);
2583  return (-1);
2584  }
2585  if (argv[2].tokval == SMTPD_TOK_ERROR) {
2586  state->error_mask |= MAIL_ERROR_PROTOCOL;
2587  smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
2588  return (-1);
2589  }
2590  if (extract_addr(state, argv + 2, REJECT_EMPTY_ADDR, var_strict_rfc821_env) != 0) {
2591  state->error_mask |= MAIL_ERROR_PROTOCOL;
2592  smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
2593  return (-1);
2594  }
2595  for (narg = 3; narg < argc; narg++) {
2596  arg = argv[narg].strval;
2597  if (strncasecmp(arg, "NOTIFY=", 7) == 0) { /* RFC 3461 */
2598  /* Sanitized on input. */
2599  if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2600  state->error_mask |= MAIL_ERROR_PROTOCOL;
2601  smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2602  return (-1);
2603  }
2604  if (dsn_notify || (dsn_notify = dsn_notify_mask(arg + 7)) == 0) {
2605  state->error_mask |= MAIL_ERROR_PROTOCOL;
2606  smtpd_chat_reply(state,
2607  "501 5.5.4 Error: Bad NOTIFY parameter syntax");
2608  return (-1);
2609  }
2610  } else if (strncasecmp(arg, "ORCPT=", 6) == 0) { /* RFC 3461 */
2611  /* Sanitized by bounce server. */
2612  if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2613  state->error_mask |= MAIL_ERROR_PROTOCOL;
2614  smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2615  return (-1);
2616  }
2617  vstring_strcpy(state->dsn_orcpt_buf, arg + 6);
2618  if (dsn_orcpt_addr
2619  || (coded_addr = split_at(STR(state->dsn_orcpt_buf), ';')) == 0
2620  || xtext_unquote(state->dsn_buf, coded_addr) == 0
2621  || *(dsn_orcpt_type = STR(state->dsn_orcpt_buf)) == 0) {
2622  state->error_mask |= MAIL_ERROR_PROTOCOL;
2623  smtpd_chat_reply(state,
2624  "501 5.5.4 Error: Bad ORCPT parameter syntax");
2625  return (-1);
2626  }
2627  dsn_orcpt_addr = STR(state->dsn_buf);
2628  dsn_orcpt_addr_len = LEN(state->dsn_buf);
2629  } else {
2630  state->error_mask |= MAIL_ERROR_PROTOCOL;
2631  smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg);
2632  return (-1);
2633  }
2634  }
2636  smtpd_chat_reply(state, "452 4.5.3 Error: too many recipients");
2637  if (state->rcpt_overshoot++ < var_smtpd_rcpt_overlim)
2638  return (0);
2639  state->error_mask |= MAIL_ERROR_POLICY;
2640  return (-1);
2641  }
2642  if (SMTPD_STAND_ALONE(state) == 0) {
2643  const char *verify_sender;
2644 
2645  /*
2646  * XXX Don't reject the address when we're probed with our own
2647  * address verification sender address. Otherwise, some timeout or
2648  * some UCE block may result in mutual negative caching, making it
2649  * painful to get the mail through. Unfortunately we still have to
2650  * send the address to the Milters otherwise they may bail out with a
2651  * "missing recipient" protocol error.
2652  */
2653  verify_sender = valid_verify_sender_addr(STR(state->addr_buf));
2654  if (verify_sender != 0) {
2655  vstring_strcpy(state->addr_buf, verify_sender);
2656  err = 0;
2657  } else {
2658  err = smtpd_check_rcpt(state, STR(state->addr_buf));
2659  }
2660  if (smtpd_milters != 0
2661  && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) {
2662  PUSH_STRING(saved_rcpt, state->recipient, STR(state->addr_buf));
2663  state->milter_reject_text = err;
2664  milter_err = milter_rcpt_event(smtpd_milters,
2665  err == 0 ? MILTER_FLAG_NONE :
2667  milter_argv(state, argc - 2, argv + 2));
2668  if (err == 0 && milter_err != 0) {
2669  /* Log reject etc. with correct recipient information. */
2670  err = check_milter_reply(state, milter_err);
2671  }
2672  POP_STRING(saved_rcpt, state->recipient);
2673  }
2674  if (err != 0) {
2675  smtpd_chat_reply(state, "%s", err);
2676  return (-1);
2677  }
2678  }
2679 
2680  /*
2681  * Don't access the proxy, queue file, or queue file writer process until
2682  * we have a valid recipient address.
2683  */
2684  if (state->proxy == 0 && state->cleanup == 0 && mail_open_stream(state) < 0)
2685  return (-1);
2686 
2687  /*
2688  * Proxy the recipient. OK, so we lied. If the real-time proxy rejects
2689  * the recipient then we can have a proxy connection without having
2690  * accepted a recipient.
2691  */
2692  proxy = state->proxy;
2693  if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_OK,
2694  "%s", STR(state->buffer)) != 0) {
2695  smtpd_chat_reply(state, "%s", STR(proxy->reply));
2696  return (-1);
2697  }
2698 
2699  /*
2700  * Store the recipient. Remember the first one.
2701  *
2702  * Flush recipients to maintain a stiffer coupling with the next stage and
2703  * to better utilize parallelism.
2704  *
2705  * RFC 3461 Section 5.2.1: If the NOTIFY parameter was not supplied for a
2706  * recipient when the message was received, the NOTIFY parameter MUST NOT
2707  * be supplied for that recipient when the message is relayed.
2708  *
2709  * In other words, we can't simply make up our default NOTIFY value. We have
2710  * to remember whether the client sent any.
2711  *
2712  * RFC 3461 Section 5.2.1: If no ORCPT parameter was present when the
2713  * message was received, an ORCPT parameter MAY be added to the RCPT
2714  * command when the message is relayed. If an ORCPT parameter is added
2715  * by the relaying MTA, it MUST contain the recipient address from the
2716  * RCPT command used when the message was received by that MTA.
2717  *
2718  * In other words, it is OK to make up our own DSN original recipient when
2719  * the client didn't send one. Although the RFC mentions mail relaying
2720  * only, we also make up our own original recipient for the purpose of
2721  * final delivery. For now, we do this here, rather than on the fly.
2722  *
2723  * XXX We use REC_TYPE_ATTR for DSN-related recipient attributes even though
2724  * 1) REC_TYPE_ATTR is not meant for multiple instances of the same named
2725  * attribute, and 2) mixing REC_TYPE_ATTR with REC_TYPE_(not attr)
2726  * requires that we map attributes with rec_attr_map() in order to
2727  * simplify the recipient record processing loops in the cleanup and qmgr
2728  * servers.
2729  *
2730  * Another possibility, yet to be explored, is to leave the additional
2731  * recipient information in the queue file and just pass queue file
2732  * offsets along with the delivery request. This is a trade off between
2733  * memory allocation versus numeric conversion overhead.
2734  *
2735  * Since we have no record grouping mechanism, all recipient-specific
2736  * parameters must be sent to the cleanup server before the actual
2737  * recipient address.
2738  */
2739  state->rcpt_count++;
2740  if (state->recipient == 0)
2741  state->recipient = mystrdup(STR(state->addr_buf));
2742  if (state->cleanup) {
2743  /* Note: RFC(2)821 externalized address! */
2744  if (dsn_orcpt_addr == 0) {
2745  dsn_orcpt_type = "rfc822";
2746  dsn_orcpt_addr = argv[2].strval;
2747  dsn_orcpt_addr_len = strlen(argv[2].strval);
2748  if (dsn_orcpt_addr[0] == '<'
2749  && dsn_orcpt_addr[dsn_orcpt_addr_len - 1] == '>') {
2750  dsn_orcpt_addr += 1;
2751  dsn_orcpt_addr_len -= 2;
2752  }
2753  }
2754  if (dsn_notify)
2755  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
2756  MAIL_ATTR_DSN_NOTIFY, dsn_notify);
2757  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s;%.*s",
2758  MAIL_ATTR_DSN_ORCPT, dsn_orcpt_type,
2759  (int) dsn_orcpt_addr_len, dsn_orcpt_addr);
2760  rec_fputs(state->cleanup, REC_TYPE_RCPT, STR(state->addr_buf));
2761  vstream_fflush(state->cleanup);
2762  }
2763  smtpd_chat_reply(state, "250 2.1.5 Ok");
2764  return (0);
2765 }
2766 
2767 /* rcpt_reset - reset RCPT stuff */
2768 
2769 static void rcpt_reset(SMTPD_STATE *state)
2770 {
2771  if (state->recipient) {
2772  myfree(state->recipient);
2773  state->recipient = 0;
2774  }
2775  state->rcpt_count = 0;
2776  /* XXX Must flush the command history. */
2777  state->rcpt_overshoot = 0;
2778 }
2779 
2780 #if 0
2781 
2782 /* rfc2047_comment_encode - encode comment string */
2783 
2784 static VSTRING *rfc2047_comment_encode(const char *str, const char *charset)
2785 {
2786  VSTRING *buf = vstring_alloc(30);
2787  const unsigned char *cp;
2788  int ch;
2789 
2790  /*
2791  * XXX This is problematic code.
2792  *
2793  * XXX Most of the RFC 2047 "especials" are not special in RFC*822 comments,
2794  * but we encode them anyway to avoid complaints.
2795  *
2796  * XXX In Received: header comments we enclose peer and issuer common names
2797  * with "" quotes (inherited from the Lutz Jaenicke patch). This is the
2798  * cause of several quirks.
2799  *
2800  * 1) We encode text that contains the " character, even though that
2801  * character is not special for RFC*822 comments.
2802  *
2803  * 2) We ignore the recommended limit of 75 characters per encoded word,
2804  * because long comments look ugly when folded in-between quotes.
2805  *
2806  * 3) We encode the enclosing quotes, to avoid producing invalid encoded
2807  * words. Microsoft abuses RFC 2047 encoding with attachment names, but
2808  * we have no information on what decoders do with malformed encoding in
2809  * comments. This means the comments are Jaenicke-compatible only after
2810  * decoding.
2811  */
2812 #define ESPECIALS "()<>@,;:\"/[]?.=" /* Special in RFC 2047 */
2813 #define QSPECIALS "_" ESPECIALS /* Special in RFC 2047 'Q' */
2814 #define CSPECIALS "\\\"()" /* Special in our comments */
2815 
2816  /* Don't encode if not needed. */
2817  for (cp = (unsigned char *) str; /* see below */ ; ++cp) {
2818  if ((ch = *cp) == 0) {
2819  vstring_sprintf(buf, "\"%s\"", str);
2820  return (buf);
2821  }
2822  if (!ISPRINT(ch) || strchr(CSPECIALS, ch))
2823  break;
2824  }
2825 
2826  /*
2827  * Use quoted-printable (like) encoding with spaces mapped to underscore.
2828  */
2829  vstring_sprintf(buf, "=?%s?Q?=%02X", charset, '"');
2830  for (cp = (unsigned char *) str; (ch = *cp) != 0; ++cp) {
2831  if (!ISPRINT(ch) || strchr(QSPECIALS CSPECIALS, ch)) {
2832  vstring_sprintf_append(buf, "=%02X", ch);
2833  } else if (ch == ' ') {
2834  VSTRING_ADDCH(buf, '_');
2835  } else {
2836  VSTRING_ADDCH(buf, ch);
2837  }
2838  }
2839  vstring_sprintf_append(buf, "=%02X?=", '"');
2840  return (buf);
2841 }
2842 
2843 #endif
2844 
2845 /* comment_sanitize - clean up comment string */
2846 
2847 static void comment_sanitize(VSTRING *comment_string)
2848 {
2849  unsigned char *cp;
2850  int ch;
2851  int pc;
2852 
2853  /*
2854  * Postfix Received: headers can be configured to include a comment with
2855  * the CN (CommonName) of the peer and its issuer, or the login name of a
2856  * SASL authenticated user. To avoid problems with RFC 822 etc. syntax,
2857  * we limit this information to printable ASCII text, and neutralize
2858  * characters that affect comment parsing: the backslash and unbalanced
2859  * parentheses.
2860  */
2861  for (pc = 0, cp = (unsigned char *) STR(comment_string); (ch = *cp) != 0; cp++) {
2862  if (!ISASCII(ch) || !ISPRINT(ch) || ch == '\\') {
2863  *cp = '?';
2864  } else if (ch == '(') {
2865  pc++;
2866  } else if (ch == ')') {
2867  if (pc > 0)
2868  pc--;
2869  else
2870  *cp = '?';
2871  }
2872  }
2873  while (pc-- > 0)
2874  VSTRING_ADDCH(comment_string, ')');
2875  VSTRING_TERMINATE(comment_string);
2876 }
2877 
2878 /* data_cmd - process DATA command */
2879 
2880 static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
2881 {
2882  SMTPD_PROXY *proxy;
2883  const char *err;
2884  char *start;
2885  int len;
2886  int curr_rec_type;
2887  int prev_rec_type;
2888  int first = 1;
2889  VSTRING *why = 0;
2890  int saved_err;
2891  int (*out_record) (VSTREAM *, int, const char *, ssize_t);
2892  int (*out_fprintf) (VSTREAM *, int, const char *,...);
2893  VSTREAM *out_stream;
2894  int out_error;
2895  char **cpp;
2896  const CLEANUP_STAT_DETAIL *detail;
2897  const char *rfc3848_sess;
2898  const char *rfc3848_auth;
2899 
2900 #ifdef USE_TLS
2901  VSTRING *peer_CN;
2902  VSTRING *issuer_CN;
2903 
2904 #endif
2905 #ifdef USE_SASL_AUTH
2906  VSTRING *username;
2907 
2908 #endif
2909 
2910  /*
2911  * Sanity checks. With ESMTP command pipelining the client can send DATA
2912  * before all recipients are rejected, so don't report that as a protocol
2913  * error.
2914  */
2915  if (state->rcpt_count == 0) {
2916  if (!SMTPD_IN_MAIL_TRANSACTION(state)) {
2917  state->error_mask |= MAIL_ERROR_PROTOCOL;
2918  smtpd_chat_reply(state, "503 5.5.1 Error: need RCPT command");
2919  } else {
2920  smtpd_chat_reply(state, "554 5.5.1 Error: no valid recipients");
2921  }
2922  return (-1);
2923  }
2924  if (argc != 1) {
2925  state->error_mask |= MAIL_ERROR_PROTOCOL;
2926  smtpd_chat_reply(state, "501 5.5.4 Syntax: DATA");
2927  return (-1);
2928  }
2929  if (SMTPD_STAND_ALONE(state) == 0 && (err = smtpd_check_data(state)) != 0) {
2930  smtpd_chat_reply(state, "%s", err);
2931  return (-1);
2932  }
2933  if (smtpd_milters != 0
2934  && SMTPD_STAND_ALONE(state) == 0
2935  && (state->saved_flags & MILTER_SKIP_FLAGS) == 0
2936  && (err = milter_data_event(smtpd_milters)) != 0
2937  && (err = check_milter_reply(state, err)) != 0) {
2938  smtpd_chat_reply(state, "%s", err);
2939  return (-1);
2940  }
2941  proxy = state->proxy;
2942  if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_MORE,
2943  "%s", STR(state->buffer)) != 0) {
2944  smtpd_chat_reply(state, "%s", STR(proxy->reply));
2945  return (-1);
2946  }
2947 
2948  /*
2949  * One level of indirection to choose between normal or proxied
2950  * operation. We want to avoid massive code duplication within tons of
2951  * if-else clauses.
2952  */
2953  if (proxy) {
2954  out_stream = proxy->stream;
2955  out_record = proxy->rec_put;
2956  out_fprintf = proxy->rec_fprintf;
2957  out_error = CLEANUP_STAT_PROXY;
2958  } else {
2959  out_stream = state->cleanup;
2960  out_record = rec_put;
2961  out_fprintf = rec_fprintf;
2962  out_error = CLEANUP_STAT_WRITE;
2963  }
2964 
2965  /*
2966  * Flush out a first batch of access table actions that are delegated to
2967  * the cleanup server, and that may trigger before we accept the first
2968  * valid recipient. There will be more after end-of-data.
2969  *
2970  * Terminate the message envelope segment. Start the message content
2971  * segment, and prepend our own Received: header. If there is only one
2972  * recipient, list the recipient address.
2973  */
2974  if (state->cleanup) {
2975  if (SMTPD_STAND_ALONE(state) == 0) {
2976  if (smtpd_milters != 0
2977  && (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
2978  /* Send actual smtpd_milters list. */
2979  (void) milter_send(smtpd_milters, state->cleanup);
2980  if (state->saved_flags)
2981  rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d",
2982  state->saved_flags);
2983  }
2984  rec_fputs(state->cleanup, REC_TYPE_MESG, "");
2985  }
2986 
2987  /*
2988  * PREPEND message headers above our own Received: header.
2989  */
2990  if (state->prepend)
2991  for (cpp = state->prepend->argv; *cpp; cpp++)
2992  out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
2993 
2994  /*
2995  * Suppress our own Received: header in the unlikely case that we are an
2996  * intermediate proxy.
2997  */
2998  if (!proxy || state->xforward.flags == 0) {
2999  out_fprintf(out_stream, REC_TYPE_NORM,
3000  "Received: from %s (%s [%s])",
3001  state->helo_name ? state->helo_name : state->name,
3002  state->name, state->rfc_addr);
3003 
3004 #define VSTRING_STRDUP(s) vstring_strcpy(vstring_alloc(strlen(s) + 1), (s))
3005 
3006 #ifdef USE_TLS
3007  if (var_smtpd_tls_received_header && state->tls_context) {
3008  out_fprintf(out_stream, REC_TYPE_NORM,
3009  "\t(using %s with cipher %s (%d/%d bits))",
3010  state->tls_context->protocol,
3011  state->tls_context->cipher_name,
3012  state->tls_context->cipher_usebits,
3013  state->tls_context->cipher_algbits);
3014  if (TLS_CERT_IS_PRESENT(state->tls_context)) {
3015  peer_CN = VSTRING_STRDUP(state->tls_context->peer_CN);
3016  comment_sanitize(peer_CN);
3017  issuer_CN = VSTRING_STRDUP(state->tls_context->issuer_CN ?
3018  state->tls_context->issuer_CN : "");
3019  comment_sanitize(issuer_CN);
3020  out_fprintf(out_stream, REC_TYPE_NORM,
3021  "\t(Client CN \"%s\", Issuer \"%s\" (%s))",
3022  STR(peer_CN), STR(issuer_CN),
3023  TLS_CERT_IS_TRUSTED(state->tls_context) ?
3024  "verified OK" : "not verified");
3025  vstring_free(issuer_CN);
3026  vstring_free(peer_CN);
3027  } else if (var_smtpd_tls_ask_ccert)
3028  out_fprintf(out_stream, REC_TYPE_NORM,
3029  "\t(Client did not present a certificate)");
3030  else
3031  out_fprintf(out_stream, REC_TYPE_NORM,
3032  "\t(No client certificate requested)");
3033  }
3034  /* RFC 3848 is defined for ESMTP only. */
3035  if (state->tls_context != 0
3036  && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0)
3037  rfc3848_sess = "S";
3038  else
3039 #endif
3040  rfc3848_sess = "";
3041 #ifdef USE_SASL_AUTH
3042  if (var_smtpd_sasl_auth_hdr && state->sasl_username) {
3043  username = VSTRING_STRDUP(state->sasl_username);
3044  comment_sanitize(username);
3045  out_fprintf(out_stream, REC_TYPE_NORM,
3046  "\t(Authenticated sender: %s)", STR(username));
3047  vstring_free(username);
3048  }
3049  /* RFC 3848 is defined for ESMTP only. */
3050  if (state->sasl_username
3051  && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0)
3052  rfc3848_auth = "A";
3053  else
3054 #endif
3055  rfc3848_auth = "";
3056  if (state->rcpt_count == 1 && state->recipient) {
3057  out_fprintf(out_stream, REC_TYPE_NORM,
3058  state->cleanup ? "\tby %s (%s) with %s%s%s id %s" :
3059  "\tby %s (%s) with %s%s%s",
3061  state->protocol, rfc3848_sess,
3062  rfc3848_auth, state->queue_id);
3063  quote_822_local(state->buffer, state->recipient);
3064  out_fprintf(out_stream, REC_TYPE_NORM,
3065  "\tfor <%s>; %s", STR(state->buffer),
3066  mail_date(state->arrival_time.tv_sec));
3067  } else {
3068  out_fprintf(out_stream, REC_TYPE_NORM,
3069  state->cleanup ? "\tby %s (%s) with %s%s%s id %s;" :
3070  "\tby %s (%s) with %s%s%s;",
3072  state->protocol, rfc3848_sess,
3073  rfc3848_auth, state->queue_id);
3074  out_fprintf(out_stream, REC_TYPE_NORM,
3075  "\t%s", mail_date(state->arrival_time.tv_sec));
3076  }
3077 #ifdef RECEIVED_ENVELOPE_FROM
3078  quote_822_local(state->buffer, state->sender);
3079  out_fprintf(out_stream, REC_TYPE_NORM,
3080  "\t(envelope-from %s)", STR(state->buffer));
3081 #endif
3082  }
3083 
3084  smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>");
3085  state->where = SMTPD_AFTER_DATA;
3086 
3087  /*
3088  * Copy the message content. If the cleanup process has a problem, keep
3089  * reading until the remote stops sending, then complain. Produce typed
3090  * records from the SMTP stream so we can handle data that spans buffers.
3091  *
3092  * XXX Force an empty record when the queue file content begins with
3093  * whitespace, so that it won't be considered as being part of our own
3094  * Received: header. What an ugly Kluge.
3095  *
3096  * XXX Deal with UNIX-style From_ lines at the start of message content
3097  * because sendmail permits it.
3098  */
3099  for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type) {
3100  if (smtp_get(state->buffer, state->client, var_line_limit,
3101  SMTP_GET_FLAG_NONE) == '\n')
3102  curr_rec_type = REC_TYPE_NORM;
3103  else
3104  curr_rec_type = REC_TYPE_CONT;
3105  start = vstring_str(state->buffer);
3106  len = VSTRING_LEN(state->buffer);
3107  if (first) {
3108  if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) {
3109  out_fprintf(out_stream, curr_rec_type,
3110  "X-Mailbox-Line: %s", start);
3111  continue;
3112  }
3113  first = 0;
3114  if (len > 0 && IS_SPACE_TAB(start[0]))
3115  out_record(out_stream, REC_TYPE_NORM, "", 0);
3116  }
3117  if (prev_rec_type != REC_TYPE_CONT && *start == '.'
3118  && (proxy == 0 ? (++start, --len) == 0 : len == 1))
3119  break;
3120  if (state->err == CLEANUP_STAT_OK) {
3121  if (var_message_limit > 0 && var_message_limit - state->act_size < len + 2) {
3122  state->err = CLEANUP_STAT_SIZE;
3123  msg_warn("%s: queue file size limit exceeded",
3124  state->queue_id ? state->queue_id : "NOQUEUE");
3125  } else {
3126  state->act_size += len + 2;
3127  if (out_record(out_stream, curr_rec_type, start, len) < 0)
3128  state->err = out_error;
3129  }
3130  }
3131  }
3132  state->where = SMTPD_AFTER_DOT;
3133  if (state->err == CLEANUP_STAT_OK
3134  && SMTPD_STAND_ALONE(state) == 0
3135  && (err = smtpd_check_eod(state)) != 0) {
3136  smtpd_chat_reply(state, "%s", err);
3137  if (proxy) {
3138  smtpd_proxy_close(state);
3139  } else {
3140  mail_stream_cleanup(state->dest);
3141  state->dest = 0;
3142  state->cleanup = 0;
3143  }
3144  return (-1);
3145  }
3146 
3147  /*
3148  * Send the end of DATA and finish the proxy connection. Set the
3149  * CLEANUP_STAT_PROXY error flag in case of trouble.
3150  */
3151  if (proxy) {
3152  if (state->err == CLEANUP_STAT_OK) {
3153  (void) proxy->cmd(state, SMTPD_PROX_WANT_ANY, ".");
3154  if (state->err == CLEANUP_STAT_OK &&
3155  *STR(proxy->reply) != '2')
3156  state->err = CLEANUP_STAT_CONT;
3157  }
3158  }
3159 
3160  /*
3161  * Flush out access table actions that are delegated to the cleanup
3162  * server. There is similar code at the beginning of the DATA command.
3163  *
3164  * Send the end-of-segment markers and finish the queue file record stream.
3165  */
3166  else {
3167  if (state->err == CLEANUP_STAT_OK) {
3168  rec_fputs(state->cleanup, REC_TYPE_XTRA, "");
3169  if (state->saved_filter)
3170  rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s",
3171  state->saved_filter);
3172  if (state->saved_redirect)
3173  rec_fprintf(state->cleanup, REC_TYPE_RDR, "%s",
3174  state->saved_redirect);
3175  if (state->saved_bcc) {
3176  rec_fprintf(state->cleanup, REC_TYPE_RCPT, "%s",
3177  state->saved_bcc);
3178  rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
3180  }
3181  if (state->saved_flags)
3182  rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d",
3183  state->saved_flags);
3184 #ifdef DELAY_ACTION
3185  if (state->saved_delay)
3186  rec_fprintf(state->cleanup, REC_TYPE_DELAY, "%d",
3187  state->saved_delay);
3188 #endif
3189  if (vstream_ferror(state->cleanup))
3190  state->err = CLEANUP_STAT_WRITE;
3191  }
3192  if (state->err == CLEANUP_STAT_OK)
3193  if (rec_fputs(state->cleanup, REC_TYPE_END, "") < 0
3194  || vstream_fflush(state->cleanup))
3195  state->err = CLEANUP_STAT_WRITE;
3196  if (state->err == 0) {
3197  why = vstring_alloc(10);
3198  state->err = mail_stream_finish(state->dest, why);
3199  printable(STR(why), ' ');
3200  } else
3201  mail_stream_cleanup(state->dest);
3202  state->dest = 0;
3203  state->cleanup = 0;
3204  }
3205 
3206  /*
3207  * XXX If we lose the cleanup server while it is editing a queue file,
3208  * the Postfix SMTP server will be out of sync with Milter applications.
3209  * Sending an ABORT to the Milters is not sufficient to restore
3210  * synchronization, because there may be any number of Milter replies
3211  * already in flight. Destroying and recreating the Milters (and faking
3212  * the connect and ehlo events) is too much trouble for testing and
3213  * maintenance. Workaround: force the Postfix SMTP server to hang up with
3214  * a 421 response in the rare case that the cleanup server breaks AND
3215  * that the remote SMTP client continues the session after end-of-data.
3216  *
3217  * XXX Should use something other than CLEANUP_STAT_WRITE when we lose
3218  * contact with the cleanup server. This requires changes to the
3219  * mail_stream module and its users (smtpd, qmqpd, perhaps sendmail).
3220  *
3221  * XXX See exception below in code that overrides state->access_denied for
3222  * compliance with RFC 2821 Sec 3.1.
3223  */
3224  if (smtpd_milters != 0 && (state->err & CLEANUP_STAT_WRITE) != 0)
3225  state->access_denied = mystrdup("421 4.3.0 Mail system error");
3226 
3227  /*
3228  * Handle any errors. One message may suffer from multiple errors, so
3229  * complain only about the most severe error. Forgive any previous client
3230  * errors when a message was received successfully.
3231  *
3232  * See also: qmqpd.c
3233  */
3234 #define IS_SMTP_REJECT(s) \
3235  (((s)[0] == '4' || (s)[0] == '5') \
3236  && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \
3237  && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-'))
3238 
3239  if (state->err == CLEANUP_STAT_OK) {
3240  state->error_count = 0;
3241  state->error_mask = 0;
3242  state->junk_cmds = 0;
3243  if (proxy)
3244  smtpd_chat_reply(state, "%s", STR(proxy->reply));
3245  else
3246  smtpd_chat_reply(state,
3247  "250 2.0.0 Ok: queued as %s", state->queue_id);
3248  } else if (why && IS_SMTP_REJECT(STR(why))) {
3249  state->error_mask |= MAIL_ERROR_POLICY;
3250  smtpd_chat_reply(state, "%s", STR(why));
3251  } else if ((state->err & CLEANUP_STAT_DEFER) != 0) {
3252  state->error_mask |= MAIL_ERROR_POLICY;
3254  if (why && LEN(why) > 0) {
3255  /* Allow address-specific DSN status in header/body_checks. */
3256  smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why));
3257  } else {
3258  smtpd_chat_reply(state, "%d %s Error: %s",
3259  detail->smtp, detail->dsn, detail->text);
3260  }
3261  } else if ((state->err & CLEANUP_STAT_BAD) != 0) {
3262  state->error_mask |= MAIL_ERROR_SOFTWARE;
3264  smtpd_chat_reply(state, "%d %s Error: internal error %d",
3265  detail->smtp, detail->dsn, state->err);
3266  } else if ((state->err & CLEANUP_STAT_SIZE) != 0) {
3267  state->error_mask |= MAIL_ERROR_BOUNCE;
3269  smtpd_chat_reply(state, "%d %s Error: %s",
3270  detail->smtp, detail->dsn, detail->text);
3271  } else if ((state->err & CLEANUP_STAT_HOPS) != 0) {
3272  state->error_mask |= MAIL_ERROR_BOUNCE;
3274  smtpd_chat_reply(state, "%d %s Error: %s",
3275  detail->smtp, detail->dsn, detail->text);
3276  } else if ((state->err & CLEANUP_STAT_CONT) != 0) {
3277  state->error_mask |= MAIL_ERROR_POLICY;
3279  if (proxy) {
3280  smtpd_chat_reply(state, "%s", STR(proxy->reply));
3281  } else if (why && LEN(why) > 0) {
3282  /* Allow address-specific DSN status in header/body_checks. */
3283  smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why));
3284  } else {
3285  smtpd_chat_reply(state, "%d %s Error: %s",
3286  detail->smtp, detail->dsn, detail->text);
3287  }
3288  } else if ((state->err & CLEANUP_STAT_WRITE) != 0) {
3289  state->error_mask |= MAIL_ERROR_RESOURCE;
3291  smtpd_chat_reply(state, "%d %s Error: %s",
3292  detail->smtp, detail->dsn, detail->text);
3293  } else if ((state->err & CLEANUP_STAT_PROXY) != 0) {
3294  state->error_mask |= MAIL_ERROR_SOFTWARE;
3295  smtpd_chat_reply(state, "%s", STR(proxy->reply));
3296  } else {
3297  state->error_mask |= MAIL_ERROR_SOFTWARE;
3299  smtpd_chat_reply(state, "%d %s Error: internal error %d",
3300  detail->smtp, detail->dsn, state->err);
3301  }
3302 
3303  /*
3304  * By popular command: the proxy's end-of-data reply.
3305  */
3306  if (proxy)
3307  msg_info("proxy-%s: %s: %s;%s",
3308  (state->err == CLEANUP_STAT_OK) ? "accept" : "reject",
3309  state->where, STR(proxy->reply), smtpd_whatsup(state));
3310 
3311  /*
3312  * Cleanup. The client may send another MAIL command.
3313  */
3314  saved_err = state->err;
3315  chat_reset(state, var_smtpd_hist_thrsh);
3316  mail_reset(state);
3317  rcpt_reset(state);
3318  if (why)
3319  vstring_free(why);
3320  return (saved_err);
3321 }
3322 
3323 /* rset_cmd - process RSET */
3324 
3325 static int rset_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
3326 {
3327 
3328  /*
3329  * Sanity checks.
3330  */
3331  if (argc != 1) {
3332  state->error_mask |= MAIL_ERROR_PROTOCOL;
3333  smtpd_chat_reply(state, "501 5.5.4 Syntax: RSET");
3334  return (-1);
3335  }
3336 
3337  /*
3338  * Restore state to right after HELO/EHLO command.
3339  */
3340  chat_reset(state, var_smtpd_hist_thrsh);
3341  mail_reset(state);
3342  rcpt_reset(state);
3343  smtpd_chat_reply(state, "250 2.0.0 Ok");
3344  return (0);
3345 }
3346 
3347 /* noop_cmd - process NOOP */
3348 
3349 static int noop_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
3350 {
3351 
3352  /*
3353  * XXX 2821 incompatibility: Section 4.1.1.9 says that NOOP can have a
3354  * parameter string which is to be ignored. NOOP instructions with
3355  * parameters? Go figure.
3356  *
3357  * RFC 2821 violates RFC 821, which says that NOOP takes no parameters.
3358  */
3359 #ifdef RFC821_SYNTAX
3360 
3361  /*
3362  * Sanity checks.
3363  */
3364  if (argc != 1) {
3365  state->error_mask |= MAIL_ERROR_PROTOCOL;
3366  smtpd_chat_reply(state, "501 5.5.4 Syntax: NOOP");
3367  return (-1);
3368  }
3369 #endif
3370  smtpd_chat_reply(state, "250 2.0.0 Ok");
3371  return (0);
3372 }
3373 
3374 /* vrfy_cmd - process VRFY */
3375 
3376 static int vrfy_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3377 {
3378  const char *err = 0;
3379  int rate;
3380 
3381  /*
3382  * The SMTP standard (RFC 821) disallows unquoted special characters in
3383  * the VRFY argument. Common practice violates the standard, however.
3384  * Postfix accomodates common practice where it violates the standard.
3385  *
3386  * XXX Impedance mismatch! The SMTP command tokenizer preserves quoting,
3387  * whereas the recipient restrictions checks expect unquoted (internal)
3388  * address forms. Therefore we must parse out the address, or we must
3389  * stop doing recipient restriction checks and lose the opportunity to
3390  * say "user unknown" at the SMTP port.
3391  *
3392  * XXX 2821 incompatibility and brain damage: Section 4.5.1 requires that
3393  * VRFY is implemented. RFC 821 specifies that VRFY is optional. It gets
3394  * even worse: section 3.5.3 says that a 502 (command recognized but not
3395  * implemented) reply is not fully compliant.
3396  *
3397  * Thus, an RFC 2821 compliant implementation cannot refuse to supply
3398  * information in reply to VRFY queries. That is simply bogus. The only
3399  * reply we could supply is a generic 252 reply. This causes spammers to
3400  * add tons of bogus addresses to their mailing lists (spam harvesting by
3401  * trying out large lists of potential recipient names with VRFY).
3402  */
3403 #define SLOPPY 0
3404 
3405  if (var_disable_vrfy_cmd) {
3406  state->error_mask |= MAIL_ERROR_POLICY;
3407  smtpd_chat_reply(state, "502 5.5.1 VRFY command is disabled");
3408  return (-1);
3409  }
3410  if (argc < 2) {
3411  state->error_mask |= MAIL_ERROR_PROTOCOL;
3412  smtpd_chat_reply(state, "501 5.5.4 Syntax: VRFY address");
3413  return (-1);
3414  }
3415 
3416  /*
3417  * XXX The client event count/rate control must be consistent in its use
3418  * of client address information in connect and disconnect events. For
3419  * now we exclude xclient authorized hosts from event count/rate control.
3420  */
3421  if (SMTPD_STAND_ALONE(state) == 0
3422  && !xclient_allowed
3423  && anvil_clnt
3424  && var_smtpd_crcpt_limit > 0
3425  && !namadr_list_match(hogger_list, state->name, state->addr)
3426  && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr,
3427  &rate) == ANVIL_STAT_OK
3428  && rate > var_smtpd_crcpt_limit) {
3429  state->error_mask |= MAIL_ERROR_POLICY;
3430  msg_warn("Recipient address rate limit exceeded: %d from %s for service %s",
3431  rate, state->namaddr, state->service);
3432  smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s",
3433  state->addr);
3434  return (-1);
3435  }
3436  if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0
3437  && (err[0] == '5' || err[0] == '4')) {
3438  state->error_mask |= MAIL_ERROR_POLICY;
3439  smtpd_chat_reply(state, "%s", err);
3440  return (-1);
3441  }
3442  if (argc > 2)
3443  collapse_args(argc - 1, argv + 1);
3444  if (extract_addr(state, argv + 1, REJECT_EMPTY_ADDR, SLOPPY) != 0) {
3445  state->error_mask |= MAIL_ERROR_PROTOCOL;
3446  smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
3447  return (-1);
3448  }
3449  /* Use state->addr_buf, with the unquoted result from extract_addr() */
3450  if (SMTPD_STAND_ALONE(state) == 0
3451  && (err = smtpd_check_rcpt(state, STR(state->addr_buf))) != 0) {
3452  smtpd_chat_reply(state, "%s", err);
3453  return (-1);
3454  }
3455 
3456  /*
3457  * XXX 2821 new feature: Section 3.5.1 requires that the VRFY response is
3458  * either "full name <user@domain>" or "user@domain". Postfix replies
3459  * with the string that was provided by the client, whether or not it is
3460  * in fully qualified domain form and the address is in <>.
3461  *
3462  * Reply code 250 is reserved for the case where the address is verified;
3463  * reply code 252 should be used when no definitive certainty exists.
3464  */
3465  smtpd_chat_reply(state, "252 2.0.0 %s", argv[1].strval);
3466  return (0);
3467 }
3468 
3469 /* etrn_cmd - process ETRN command */
3470 
3471 static int etrn_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3472 {
3473  const char *err;
3474 
3475  /*
3476  * Sanity checks.
3477  */
3478  if (var_helo_required && state->helo_name == 0) {
3479  state->error_mask |= MAIL_ERROR_POLICY;
3480  smtpd_chat_reply(state, "503 Error: send HELO/EHLO first");
3481  return (-1);
3482  }
3483  if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0
3484  && (err[0] == '5' || err[0] == '4')) {
3485  state->error_mask |= MAIL_ERROR_POLICY;
3486  smtpd_chat_reply(state, "%s", err);
3487  return (-1);
3488  }
3489  if (SMTPD_IN_MAIL_TRANSACTION(state)) {
3490  state->error_mask |= MAIL_ERROR_PROTOCOL;
3491  smtpd_chat_reply(state, "503 Error: MAIL transaction in progress");
3492  return (-1);
3493  }
3494  if (argc != 2) {
3495  state->error_mask |= MAIL_ERROR_PROTOCOL;
3496  smtpd_chat_reply(state, "500 Syntax: ETRN domain");
3497  return (-1);
3498  }
3499  if (argv[1].strval[0] == '@' || argv[1].strval[0] == '#')
3500  argv[1].strval++;
3501 
3502  /*
3503  * As an extension to RFC 1985 we also allow an RFC 2821 address literal
3504  * enclosed in [].
3505  */
3506  if (!valid_hostname(argv[1].strval, DONT_GRIPE)
3507  && !valid_mailhost_literal(argv[1].strval, DONT_GRIPE)) {
3508  state->error_mask |= MAIL_ERROR_PROTOCOL;
3509  smtpd_chat_reply(state, "501 Error: invalid parameter syntax");
3510  return (-1);
3511  }
3512 
3513  /*
3514  * XXX The implementation borrows heavily from the code that implements
3515  * UCE restrictions. These typically return 450 or 550 when a request is
3516  * rejected. RFC 1985 requires that 459 be sent when the server refuses
3517  * to perform the request.
3518  */
3519  if (SMTPD_STAND_ALONE(state)) {
3520  msg_warn("do not use ETRN in \"sendmail -bs\" mode");
3521  smtpd_chat_reply(state, "458 Unable to queue messages");
3522  return (-1);
3523  }
3524  if ((err = smtpd_check_etrn(state, argv[1].strval)) != 0) {
3525  smtpd_chat_reply(state, "%s", err);
3526  return (-1);
3527  }
3528  switch (flush_send_site(argv[1].strval)) {
3529  case FLUSH_STAT_OK:
3530  smtpd_chat_reply(state, "250 Queuing started");
3531  return (0);
3532  case FLUSH_STAT_DENY:
3533  msg_warn("reject: ETRN %.100s... from %s",
3534  argv[1].strval, state->namaddr);
3535  smtpd_chat_reply(state, "459 <%s>: service unavailable",
3536  argv[1].strval);
3537  return (-1);
3538  case FLUSH_STAT_BAD:
3539  msg_warn("bad ETRN %.100s... from %s", argv[1].strval, state->namaddr);
3540  smtpd_chat_reply(state, "458 Unable to queue messages");
3541  return (-1);
3542  default:
3543  msg_warn("unable to talk to fast flush service");
3544  smtpd_chat_reply(state, "458 Unable to queue messages");
3545  return (-1);
3546  }
3547 }
3548 
3549 /* quit_cmd - process QUIT command */
3550 
3551 static int quit_cmd(SMTPD_STATE *state, int unused_argc, SMTPD_TOKEN *unused_argv)
3552 {
3553  int out_pending = vstream_bufstat(state->client, VSTREAM_BST_OUT_PEND);
3554 
3555  /*
3556  * Don't bother checking the syntax.
3557  */
3558  smtpd_chat_reply(state, "221 2.0.0 Bye");
3559 
3560  /*
3561  * When the "." and quit replies are pipelined, make sure they are
3562  * flushed now, to avoid repeated mail deliveries in case of a crash in
3563  * the "clean up before disconnect" code.
3564  *
3565  * XXX When this was added in Postfix 2.1 we used vstream_fflush(). As of
3566  * Postfix 2.3 we use smtp_flush() for better error reporting.
3567  */
3568  if (out_pending > 0)
3569  smtp_flush(state->client);
3570  return (0);
3571 }
3572 
3573 /* xclient_cmd - override SMTP client attributes */
3574 
3575 static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3576 {
3577  SMTPD_TOKEN *argp;
3578  char *raw_value;
3579  char *attr_value;
3580  const char *bare_value;
3581  char *attr_name;
3582  int update_namaddr = 0;
3583  int name_status;
3584  static const NAME_CODE peer_codes[] = {
3587  0, SMTPD_PEER_CODE_OK,
3588  };
3589  static const NAME_CODE proto_names[] = {
3590  MAIL_PROTO_SMTP, 1,
3591  MAIL_PROTO_ESMTP, 2,
3592  0, -1,
3593  };
3594  int got_helo = 0;
3595  int got_proto = 0;
3596  int got_login = 0;
3597 
3598  /*
3599  * Sanity checks.
3600  *
3601  * XXX The XCLIENT command will override its own access control, so that
3602  * connection count/rate restrictions can be correctly simulated.
3603  */
3604  if (SMTPD_IN_MAIL_TRANSACTION(state)) {
3605  state->error_mask |= MAIL_ERROR_PROTOCOL;
3606  smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress");
3607  return (-1);
3608  }
3609  if (argc < 2) {
3610  state->error_mask |= MAIL_ERROR_PROTOCOL;
3611  smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...",
3612  XCLIENT_CMD);
3613  return (-1);
3614  }
3615  if (xclient_hosts && xclient_hosts->error)
3616  cant_permit_command(state, XCLIENT_CMD);
3617  if (!xclient_allowed) {
3618  state->error_mask |= MAIL_ERROR_POLICY;
3619  smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization");
3620  return (-1);
3621  }
3622 #define STREQ(x,y) (strcasecmp((x), (y)) == 0)
3623 #define UPDATE_STR(s, v) do { \
3624  const char *_v = (v); \
3625  if (s) myfree(s); \
3626  s = (_v) ? mystrdup(_v) : 0; \
3627  } while(0)
3628 
3629  /*
3630  * Initialize.
3631  */
3632  if (state->expand_buf == 0)
3633  state->expand_buf = vstring_alloc(100);
3634 
3635  /*
3636  * Iterate over all attribute=value elements.
3637  */
3638  for (argp = argv + 1; argp < argv + argc; argp++) {
3639  attr_name = argp->strval;
3640 
3641  if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) {
3642  state->error_mask |= MAIL_ERROR_PROTOCOL;
3643  smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected");
3644  return (-1);
3645  }
3646  if (strlen(raw_value) > 255) {
3647  state->error_mask |= MAIL_ERROR_PROTOCOL;
3648  smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long");
3649  return (-1);
3650  }
3651 
3652  /*
3653  * Backwards compatibility: Postfix prior to version 2.3 does not
3654  * xtext encode attribute values.
3655  */
3656  attr_value = xtext_unquote(state->expand_buf, raw_value) ?
3657  STR(state->expand_buf) : raw_value;
3658 
3659  /*
3660  * For safety's sake mask non-printable characters. We'll do more
3661  * specific censoring later.
3662  */
3663  printable(attr_value, '?');
3664 
3665  /*
3666  * NAME=substitute SMTP client hostname (and reverse/forward name, in
3667  * case of success). Also updates the client hostname lookup status
3668  * code.
3669  */
3670  if (STREQ(attr_name, XCLIENT_NAME)) {
3671  name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value);
3672  if (name_status != SMTPD_PEER_CODE_OK) {
3673  attr_value = CLIENT_NAME_UNKNOWN;
3674  } else {
3675  if (!valid_hostname(attr_value, DONT_GRIPE)) {
3676  state->error_mask |= MAIL_ERROR_PROTOCOL;
3677  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3678  XCLIENT_NAME, attr_value);
3679  return (-1);
3680  }
3681  }
3682  state->name_status = name_status;
3683  UPDATE_STR(state->name, attr_value);
3684  update_namaddr = 1;
3685  if (name_status == SMTPD_PEER_CODE_OK) {
3686  UPDATE_STR(state->reverse_name, attr_value);
3687  state->reverse_name_status = name_status;
3688  }
3689  }
3690 
3691  /*
3692  * REVERSE_NAME=substitute SMTP client reverse hostname. Also updates
3693  * the client reverse hostname lookup status code.
3694  */
3695  else if (STREQ(attr_name, XCLIENT_REVERSE_NAME)) {
3696  name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value);
3697  if (name_status != SMTPD_PEER_CODE_OK) {
3698  attr_value = CLIENT_NAME_UNKNOWN;
3699  } else {
3700  if (!valid_hostname(attr_value, DONT_GRIPE)) {
3701  state->error_mask |= MAIL_ERROR_PROTOCOL;
3702  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3703  XCLIENT_REVERSE_NAME, attr_value);
3704  return (-1);
3705  }
3706  }
3707  state->reverse_name_status = name_status;
3708  UPDATE_STR(state->reverse_name, attr_value);
3709  }
3710 
3711  /*
3712  * ADDR=substitute SMTP client network address.
3713  */
3714  else if (STREQ(attr_name, XCLIENT_ADDR)) {
3715  if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
3716  attr_value = CLIENT_ADDR_UNKNOWN;
3717  bare_value = attr_value;
3718  } else {
3719  if ((bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0) {
3720  state->error_mask |= MAIL_ERROR_PROTOCOL;
3721  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3722  XCLIENT_ADDR, attr_value);
3723  return (-1);
3724  }
3725  }
3726  UPDATE_STR(state->addr, bare_value);
3727  UPDATE_STR(state->rfc_addr, attr_value);
3728 #ifdef HAS_IPV6
3729  if (strncasecmp(attr_value, INET_PROTO_NAME_IPV6 ":",
3730  sizeof(INET_PROTO_NAME_IPV6 ":") - 1) == 0)
3731  state->addr_family = AF_INET6;
3732  else
3733 #endif
3734  state->addr_family = AF_INET;
3735  update_namaddr = 1;
3736  }
3737 
3738  /*
3739  * PORT=substitute SMTP client port number.
3740  */
3741  else if (STREQ(attr_name, XCLIENT_PORT)) {
3742  if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
3743  attr_value = CLIENT_PORT_UNKNOWN;
3744  } else {
3745  if (!alldig(attr_value)
3746  || strlen(attr_value) > sizeof("65535") - 1) {
3747  state->error_mask |= MAIL_ERROR_PROTOCOL;
3748  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3749  XCLIENT_PORT, attr_value);
3750  return (-1);
3751  }
3752  }
3753  UPDATE_STR(state->port, attr_value);
3754  update_namaddr = 1;
3755  }
3756 
3757  /*
3758  * HELO=substitute SMTP client HELO parameter. Censor special
3759  * characters that could mess up message headers.
3760  */
3761  else if (STREQ(attr_name, XCLIENT_HELO)) {
3762  if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
3763  attr_value = CLIENT_HELO_UNKNOWN;
3764  } else {
3765  if (strlen(attr_value) > VALID_HOSTNAME_LEN) {
3766  state->error_mask |= MAIL_ERROR_PROTOCOL;
3767  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3768  XCLIENT_HELO, attr_value);
3769  return (-1);
3770  }
3771  neuter(attr_value, NEUTER_CHARACTERS, '?');
3772  }
3773  UPDATE_STR(state->helo_name, attr_value);
3774  got_helo = 1;
3775  }
3776 
3777  /*
3778  * PROTO=SMTP protocol name.
3779  */
3780  else if (STREQ(attr_name, XCLIENT_PROTO)) {
3781  if (name_code(proto_names, NAME_CODE_FLAG_NONE, attr_value) < 0) {
3782  state->error_mask |= MAIL_ERROR_PROTOCOL;
3783  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3784  XCLIENT_PROTO, attr_value);
3785  return (-1);
3786  }
3787  UPDATE_STR(state->protocol, uppercase(attr_value));
3788  got_proto = 1;
3789  }
3790 
3791  /*
3792  * LOGIN=sasl_username. Sets the authentication method as XCLIENT.
3793  * This can be used even if SASL authentication is turned off in
3794  * main.cf. We can't make it easier than that.
3795  */
3796 #ifdef USE_SASL_AUTH
3797  else if (STREQ(attr_name, XCLIENT_LOGIN)) {
3798  if (STREQ(attr_value, XCLIENT_UNAVAILABLE) == 0) {
3799  smtpd_sasl_auth_extern(state, attr_value, XCLIENT_CMD);
3800  got_login = 1;
3801  }
3802  }
3803 #endif
3804 
3805  /*
3806  * Unknown attribute name. Complain.
3807  */
3808  else {
3809  state->error_mask |= MAIL_ERROR_PROTOCOL;
3810  smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s",
3811  XCLIENT_CMD, attr_name);
3812  return (-1);
3813  }
3814  }
3815 
3816  /*
3817  * Update the combined name and address when either has changed.
3818  */
3819  if (update_namaddr) {
3820  if (state->namaddr)
3821  myfree(state->namaddr);
3822  state->namaddr =
3823  SMTPD_BUILD_NAMADDRPORT(state->name, state->addr, state->port);
3824  }
3825 
3826  /*
3827  * XXX Compatibility: when the client issues XCLIENT then we have to go
3828  * back to initial server greeting stage, otherwise we can't correctly
3829  * simulate smtpd_client_restrictions (with smtpd_delay_reject=0) and
3830  * Milter connect restrictions.
3831  *
3832  * XXX Compatibility: for accurate simulation we must also reset the HELO
3833  * information. We keep the information if it was specified in the
3834  * XCLIENT command.
3835  *
3836  * XXX The client connection count/rate control must be consistent in its
3837  * use of client address information in connect and disconnect events. We
3838  * re-evaluate xclient so that we correctly simulate connection
3839  * concurrency and connection rate restrictions.
3840  *
3841  * XXX Duplicated from smtpd_proto().
3842  */
3843  xclient_allowed =
3844  namadr_list_match(xclient_hosts, state->name, state->addr);
3845  /* NOT: tls_reset() */
3846  if (got_helo == 0)
3847  helo_reset(state);
3848  if (got_proto == 0 && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) {
3849  myfree(state->protocol);
3850  state->protocol = mystrdup(MAIL_PROTO_SMTP);
3851  }
3852 #ifdef USE_SASL_AUTH
3853  if (got_login == 0)
3854  smtpd_sasl_auth_reset(state);
3855 #endif
3856  chat_reset(state, 0);
3857  mail_reset(state);
3858  rcpt_reset(state);
3859  if (smtpd_milters)
3860  milter_disc_event(smtpd_milters);
3862  return (0);
3863 }
3864 
3865 /* xforward_cmd - forward logging attributes */
3866 
3867 static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3868 {
3869  SMTPD_TOKEN *argp;
3870  char *raw_value;
3871  char *attr_value;
3872  const char *bare_value;
3873  char *attr_name;
3874  int updated = 0;
3875  static const NAME_CODE xforward_flags[] = {
3883  0, 0,
3884  };
3885  static const char *context_name[] = {
3886  MAIL_ATTR_RWR_LOCAL, /* Postfix internal form */
3887  MAIL_ATTR_RWR_REMOTE, /* Postfix internal form */
3888  };
3889  static const NAME_CODE xforward_to_context[] = {
3890  XFORWARD_DOM_LOCAL, 0, /* XFORWARD representation */
3891  XFORWARD_DOM_REMOTE, 1, /* XFORWARD representation */
3892  0, -1,
3893  };
3894  int flag;
3895  int context_code;
3896 
3897  /*
3898  * Sanity checks.
3899  */
3900  if (SMTPD_IN_MAIL_TRANSACTION(state)) {
3901  state->error_mask |= MAIL_ERROR_PROTOCOL;
3902  smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress");
3903  return (-1);
3904  }
3905  if (argc < 2) {
3906  state->error_mask |= MAIL_ERROR_PROTOCOL;
3907  smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...",
3908  XFORWARD_CMD);
3909  return (-1);
3910  }
3911  if (xforward_hosts && xforward_hosts->error)
3912  cant_permit_command(state, XFORWARD_CMD);
3913  if (!xforward_allowed) {
3914  state->error_mask |= MAIL_ERROR_POLICY;
3915  smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization");
3916  return (-1);
3917  }
3918 
3919  /*
3920  * Initialize.
3921  */
3922  if (state->xforward.flags == 0)
3923  smtpd_xforward_preset(state);
3924  if (state->expand_buf == 0)
3925  state->expand_buf = vstring_alloc(100);
3926 
3927  /*
3928  * Iterate over all attribute=value elements.
3929  */
3930  for (argp = argv + 1; argp < argv + argc; argp++) {
3931  attr_name = argp->strval;
3932 
3933  if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) {
3934  state->error_mask |= MAIL_ERROR_PROTOCOL;
3935  smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected");
3936  return (-1);
3937  }
3938  if (strlen(raw_value) > 255) {
3939  state->error_mask |= MAIL_ERROR_PROTOCOL;
3940  smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long");
3941  return (-1);
3942  }
3943 
3944  /*
3945  * Backwards compatibility: Postfix prior to version 2.3 does not
3946  * xtext encode attribute values.
3947  */
3948  attr_value = xtext_unquote(state->expand_buf, raw_value) ?
3949  STR(state->expand_buf) : raw_value;
3950 
3951  /*
3952  * For safety's sake mask non-printable characters. We'll do more
3953  * specific censoring later.
3954  */
3955  printable(attr_value, '?');
3956 
3957  flag = name_code(xforward_flags, NAME_CODE_FLAG_NONE, attr_name);
3958  switch (flag) {
3959 
3960  /*
3961  * NAME=up-stream host name, not necessarily in the DNS. Censor
3962  * special characters that could mess up message headers.
3963  */
3965  if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
3966  attr_value = CLIENT_NAME_UNKNOWN;
3967  } else {
3968  neuter(attr_value, NEUTER_CHARACTERS, '?');
3969  if (!valid_hostname(attr_value, DONT_GRIPE)) {
3970  state->error_mask |= MAIL_ERROR_PROTOCOL;
3971  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3972  XFORWARD_NAME, attr_value);
3973  return (-1);
3974  }
3975  }
3976  UPDATE_STR(state->xforward.name, attr_value);
3977  break;
3978 
3979  /*
3980  * ADDR=up-stream host network address, not necessarily on the
3981  * Internet. Censor special characters that could mess up message
3982  * headers.
3983  */
3985  if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
3986  attr_value = CLIENT_ADDR_UNKNOWN;
3987  bare_value = attr_value;
3988  } else {
3989  neuter(attr_value, NEUTER_CHARACTERS, '?');
3990  if ((bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0) {
3991  state->error_mask |= MAIL_ERROR_PROTOCOL;
3992  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3993  XFORWARD_ADDR, attr_value);
3994  return (-1);
3995  }
3996  }
3997  UPDATE_STR(state->xforward.addr, bare_value);
3998  UPDATE_STR(state->xforward.rfc_addr, attr_value);
3999  break;
4000 
4001  /*
4002  * PORT=up-stream port number.
4003  */
4005  if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4006  attr_value = CLIENT_PORT_UNKNOWN;
4007  } else {
4008  if (!alldig(attr_value)
4009  || strlen(attr_value) > sizeof("65535") - 1) {
4010  state->error_mask |= MAIL_ERROR_PROTOCOL;
4011  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4012  XFORWARD_PORT, attr_value);
4013  return (-1);
4014  }
4015  }
4016  UPDATE_STR(state->xforward.port, attr_value);
4017  break;
4018 
4019  /*
4020  * HELO=hostname that the up-stream MTA introduced itself with
4021  * (not necessarily SMTP HELO). Censor special characters that
4022  * could mess up message headers.
4023  */
4025  if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4026  attr_value = CLIENT_HELO_UNKNOWN;
4027  } else {
4028  neuter(attr_value, NEUTER_CHARACTERS, '?');
4029  }
4030  UPDATE_STR(state->xforward.helo_name, attr_value);
4031  break;
4032 
4033  /*
4034  * PROTO=up-stream protocol, not necessarily SMTP or ESMTP.
4035  * Censor special characters that could mess up message headers.
4036  */
4038  if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4039  attr_value = CLIENT_PROTO_UNKNOWN;
4040  } else {
4041  if (strlen(attr_value) > 64) {
4042  state->error_mask |= MAIL_ERROR_PROTOCOL;
4043  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4044  XFORWARD_PROTO, attr_value);
4045  return (-1);
4046  }
4047  neuter(attr_value, NEUTER_CHARACTERS, '?');
4048  }
4049  UPDATE_STR(state->xforward.protocol, attr_value);
4050  break;
4051 
4052  /*
4053  * IDENT=local message identifier on the up-stream MTA. Censor
4054  * special characters that could mess up logging or macro
4055  * expansions.
4056  */
4058  if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4059  attr_value = CLIENT_IDENT_UNKNOWN;
4060  } else {
4061  neuter(attr_value, NEUTER_CHARACTERS, '?');
4062  }
4063  UPDATE_STR(state->xforward.ident, attr_value);
4064  break;
4065 
4066  /*
4067  * DOMAIN=local or remote.
4068  */
4070  if (STREQ(attr_value, XFORWARD_UNAVAILABLE))
4071  attr_value = XFORWARD_DOM_LOCAL;
4072  if ((context_code = name_code(xforward_to_context,
4074  attr_value)) < 0) {
4075  state->error_mask |= MAIL_ERROR_PROTOCOL;
4076  smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4077  XFORWARD_DOMAIN, attr_value);
4078  return (-1);
4079  }
4080  UPDATE_STR(state->xforward.domain, context_name[context_code]);
4081  break;
4082 
4083  /*
4084  * Unknown attribute name. Complain.
4085  */
4086  default:
4087  state->error_mask |= MAIL_ERROR_PROTOCOL;
4088  smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s",
4089  XFORWARD_CMD, attr_name);
4090  return (-1);
4091  }
4092  updated |= flag;
4093  }
4094  state->xforward.flags |= updated;
4095 
4096  /*
4097  * Update the combined name and address when either has changed. Use only
4098  * the name when no address is available.
4099  */
4101  if (state->xforward.namaddr)
4102  myfree(state->xforward.namaddr);
4103  state->xforward.namaddr =
4106  state->xforward.addr,
4107  state->xforward.port) :
4108  mystrdup(state->xforward.name);
4109  }
4110  smtpd_chat_reply(state, "250 2.0.0 Ok");
4111  return (0);
4112 }
4113 
4114 /* chat_reset - notify postmaster and reset conversation log */
4115 
4116 static void chat_reset(SMTPD_STATE *state, int threshold)
4117 {
4118 
4119  /*
4120  * Notify the postmaster if there were errors. This usually indicates a
4121  * client configuration problem, or that someone is trying nasty things.
4122  * Either is significant enough to bother the postmaster. XXX Can't
4123  * report problems when running in stand-alone mode: postmaster notices
4124  * require availability of the cleanup service.
4125  */
4126  if (state->history != 0 && state->history->argc > threshold) {
4127  if (SMTPD_STAND_ALONE(state) == 0
4128  && (state->error_mask & state->notify_mask))
4129  smtpd_chat_notify(state);
4130  state->error_mask = 0;
4131  smtpd_chat_reset(state);
4132  }
4133 }
4134 
4135 #ifdef USE_TLS
4136 
4137 /* smtpd_start_tls - turn on TLS or force disconnect */
4138 
4139 static void smtpd_start_tls(SMTPD_STATE *state)
4140 {
4141  int rate;
4142  int cert_present;
4143  int requirecert;
4144 
4145 #ifdef USE_TLSPROXY
4146 
4147  /*
4148  * This is non-production code, for tlsproxy(8) load testing only. It
4149  * implements enough to enable some Postfix features that depend on TLS
4150  * encryption.
4151  *
4152  * To insert tlsproxy(8) between this process and the SMTP client, we swap
4153  * the file descriptors between the state->tlsproxy and state->client
4154  * VSTREAMS, so that we don't lose all the user-configurable
4155  * state->client attributes (such as longjump buffers or timeouts).
4156  *
4157  * As we implement tlsproy support in the Postfix SMTP client we should
4158  * develop a usable abstraction that encapsulates this stream plumbing in
4159  * a library module.
4160  */
4162  vstream_control(state->client, VSTREAM_CTL_SWAP_FD, state->tlsproxy,
4163  VSTREAM_CTL_END);
4164  (void) vstream_fclose(state->tlsproxy); /* direct-to-client stream! */
4165  state->tlsproxy = 0;
4166 
4167  /*
4168  * After plumbing the plaintext stream, receive the TLS context object.
4169  * For this we must use the same VSTREAM buffer that we also use to
4170  * receive subsequent SMTP commands. The attribute protocol is robust
4171  * enough that an adversary cannot inject their own bogus TLS context
4172  * attributes into the stream.
4173  */
4174  state->tls_context = tls_proxy_context_receive(state->client);
4175 
4176  /*
4177  * XXX Maybe it is better to send this information to tlsproxy(8) when
4178  * requesting service, effectively making a remote tls_server_start()
4179  * call.
4180  */
4182 
4183 #else /* USE_TLSPROXY */
4184  TLS_SERVER_START_PROPS props;
4185  static char *cipher_grade;
4186  static VSTRING *cipher_exclusions;
4187 
4188  /*
4189  * Wrapper mode uses a dedicated port and always requires TLS.
4190  *
4191  * XXX In non-wrapper mode, it is possible to require client certificate
4192  * verification without requiring TLS. Since certificates can be verified
4193  * only while TLS is turned on, this means that Postfix will happily
4194  * perform SMTP transactions when the client does not use the STARTTLS
4195  * command. For this reason, Postfix does not require client certificate
4196  * verification unless TLS is required.
4197  *
4198  * The cipher grade and exclusions don't change between sessions. Compute
4199  * just once and cache.
4200  */
4201 #define ADD_EXCLUDE(vstr, str) \
4202  do { \
4203  if (*(str)) \
4204  vstring_sprintf_append((vstr), "%s%s", \
4205  VSTRING_LEN(vstr) ? " " : "", (str)); \
4206  } while (0)
4207 
4208  if (cipher_grade == 0) {
4209  cipher_grade = var_smtpd_enforce_tls ?
4211  cipher_exclusions = vstring_alloc(10);
4212  ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_excl_ciph);
4214  ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_mand_excl);
4215  if (ask_client_cert)
4216  ADD_EXCLUDE(cipher_exclusions, "aNULL");
4217  }
4218 
4219  /*
4220  * Perform the TLS handshake now. Check the client certificate
4221  * requirements later, if necessary.
4222  */
4224 
4225  state->tls_context =
4226  TLS_SERVER_START(&props,
4227  ctx = smtpd_tls_ctx,
4228  stream = state->client,
4229  fd = -1,
4230  timeout = var_smtpd_starttls_tmout,
4231  requirecert = requirecert,
4232  serverid = state->service,
4233  namaddr = state->namaddr,
4234  cipher_grade = cipher_grade,
4235  cipher_exclusions = STR(cipher_exclusions),
4236  mdalg = var_smtpd_tls_fpt_dgst);
4237 
4238 #endif /* USE_TLSPROXY */
4239 
4240  /*
4241  * For new (i.e. not re-used) TLS sessions, increment the client's new
4242  * TLS session rate counter. We enforce the limit here only for human
4243  * factors reasons (reduce the WTF factor), even though it is too late to
4244  * save the CPU that was already burnt on PKI ops. The real safety
4245  * mechanism applies with future STARTTLS commands (or wrappermode
4246  * connections), prior to the SSL handshake.
4247  *
4248  * XXX The client event count/rate control must be consistent in its use of
4249  * client address information in connect and disconnect events. For now
4250  * we exclude xclient authorized hosts from event count/rate control.
4251  */
4252  if (var_smtpd_cntls_limit > 0
4253  && (state->tls_context == 0 || state->tls_context->session_reused == 0)
4254  && SMTPD_STAND_ALONE(state) == 0
4255  && !xclient_allowed
4256  && anvil_clnt
4257  && !namadr_list_match(hogger_list, state->name, state->addr)
4258  && anvil_clnt_newtls(anvil_clnt, state->service, state->addr,
4259  &rate) == ANVIL_STAT_OK
4260  && rate > var_smtpd_cntls_limit) {
4261  state->error_mask |= MAIL_ERROR_POLICY;
4262  msg_warn("New TLS session rate limit exceeded: %d from %s for service %s",
4263  rate, state->namaddr, state->service);
4264  if (state->tls_context)
4265  smtpd_chat_reply(state,
4266  "421 4.7.0 %s Error: too many new TLS sessions from %s",
4267  var_myhostname, state->namaddr);
4268  /* XXX Use regular return to signal end of session. */
4270  }
4271 
4272  /*
4273  * When the TLS handshake fails, the conversation is in an unknown state.
4274  * There is nothing we can do except to disconnect from the client.
4275  */
4276  if (state->tls_context == 0)
4278 
4279  /*
4280  * If we are requiring verified client certs, enforce the constraint
4281  * here. We have a usable TLS session with the client, so no need to
4282  * disable I/O, ... we can even be polite and send "421 ...".
4283  */
4284  if (requirecert && TLS_CERT_IS_TRUSTED(state->tls_context) == 0) {
4285 
4286  /*
4287  * Fetch and reject the next command (should be EHLO), then
4288  * disconnect (side-effect of returning "421 ...".
4289  */
4290  cert_present = TLS_CERT_IS_PRESENT(state->tls_context);
4291  msg_info("NOQUEUE: abort: TLS from %s: %s",
4292  state->namaddr, cert_present ?
4293  "Client certificate not trusted" :
4294  "No client certificate presented");
4295  smtpd_chat_query(state);
4296  smtpd_chat_reply(state, "421 4.7.1 %s Error: %s",
4297  var_myhostname, cert_present ?
4298  "Client certificate not trusted" :
4299  "No client certificate presented");
4300  state->error_mask |= MAIL_ERROR_POLICY;
4301  return;
4302  }
4303 
4304  /*
4305  * When TLS is turned on, we may offer AUTH methods that would not be
4306  * offered within a plain-text session.
4307  *
4308  * XXX Always refresh SASL the mechanism list after STARTTLS. Dovecot
4309  * responses may depend on whether the SMTP connection is encrypted.
4310  */
4311 #ifdef USE_SASL_AUTH
4312  if (var_smtpd_sasl_enable) {
4313  /* Non-wrappermode, presumably. */
4314  if (smtpd_sasl_is_active(state)) {
4315  smtpd_sasl_auth_reset(state);
4316  smtpd_sasl_deactivate(state);
4317  }
4318  /* Wrappermode and non-wrappermode. */
4319  if (smtpd_sasl_is_active(state) == 0)
4322  }
4323 #endif
4324 }
4325 
4326 /* starttls_cmd - respond to STARTTLS */
4327 
4328 static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
4329 {
4330  const char *err;
4331  int rate;
4332 
4333  if (argc != 1) {
4334  state->error_mask |= MAIL_ERROR_PROTOCOL;
4335  smtpd_chat_reply(state, "501 5.5.4 Syntax: STARTTLS");
4336  return (-1);
4337  }
4338  if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0) {
4339  if (err[0] == '5') {
4340  state->error_mask |= MAIL_ERROR_POLICY;
4341  smtpd_chat_reply(state, "%s", err);
4342  return (-1);
4343  }
4344  /* Sendmail compatibility: map 4xx into 454. */
4345  else if (err[0] == '4') {
4346  state->error_mask |= MAIL_ERROR_POLICY;
4347  smtpd_chat_reply(state, "454 4.3.0 Try again later");
4348  return (-1);
4349  }
4350  }
4351  if (state->tls_context != 0) {
4352  state->error_mask |= MAIL_ERROR_PROTOCOL;
4353  smtpd_chat_reply(state, "554 5.5.1 Error: TLS already active");
4354  return (-1);
4355  }
4356  if (var_smtpd_use_tls == 0
4357  || (state->ehlo_discard_mask & EHLO_MASK_STARTTLS)) {
4358  state->error_mask |= MAIL_ERROR_PROTOCOL;
4359  smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented");
4360  return (-1);
4361  }
4362 #ifdef USE_TLSPROXY
4363 
4364  /*
4365  * Note: state->tlsproxy is left open when smtp_flush() calls longjmp(),
4366  * so we garbage-collect the VSTREAM in smtpd_state_reset().
4367  */
4368 #define PROXY_OPEN_FLAGS \
4369  (TLS_PROXY_FLAG_ROLE_SERVER | TLS_PROXY_FLAG_SEND_CONTEXT)
4370 
4371  state->tlsproxy = tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS,
4372  state->client, state->addr,
4373  state->port, var_smtpd_tmout);
4374  if (state->tlsproxy == 0) {
4375  state->error_mask |= MAIL_ERROR_SOFTWARE;
4376  /* RFC 3207 Section 4. */
4377  smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem");
4378  return (-1);
4379  }
4380 #else /* USE_TLSPROXY */
4381  if (smtpd_tls_ctx == 0) {
4382  state->error_mask |= MAIL_ERROR_SOFTWARE;
4383  /* RFC 3207 Section 4. */
4384  smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem");
4385  return (-1);
4386  }
4387 #endif /* USE_TLSPROXY */
4388 
4389  /*
4390  * Enforce TLS handshake rate limit when this client negotiated too many
4391  * new TLS sessions in the recent past.
4392  *
4393  * XXX The client event count/rate control must be consistent in its use of
4394  * client address information in connect and disconnect events. For now
4395  * we exclude xclient authorized hosts from event count/rate control.
4396  */
4397  if (var_smtpd_cntls_limit > 0
4398  && SMTPD_STAND_ALONE(state) == 0
4399  && !xclient_allowed
4400  && anvil_clnt
4401  && !namadr_list_match(hogger_list, state->name, state->addr)
4402  && anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr,
4403  &rate) == ANVIL_STAT_OK
4404  && rate > var_smtpd_cntls_limit) {
4405  state->error_mask |= MAIL_ERROR_POLICY;
4406  msg_warn("Refusing STARTTLS request from %s for service %s",
4407  state->namaddr, state->service);
4408  smtpd_chat_reply(state,
4409  "454 4.7.0 Error: too many new TLS sessions from %s",
4410  state->namaddr);
4411 #ifdef USE_TLSPROXY
4412  (void) vstream_fclose(state->tlsproxy);
4413  state->tlsproxy = 0;
4414 #endif
4415  return (-1);
4416  }
4417  smtpd_chat_reply(state, "220 2.0.0 Ready to start TLS");
4418  /* Flush before we switch read/write routines or file descriptors. */
4419  smtp_flush(state->client);
4420  /* At this point there must not be any pending plaintext. */
4422 
4423  /*
4424  * Reset all inputs to the initial state.
4425  *
4426  * XXX RFC 2487 does not forbid the use of STARTTLS while mail transfer is
4427  * in progress, so we have to allow it even when it makes no sense.
4428  */
4429  helo_reset(state);
4430  mail_reset(state);
4431  rcpt_reset(state);
4432 
4433  /*
4434  * Turn on TLS, using code that is shared with TLS wrapper mode. This
4435  * code does not return when the handshake fails.
4436  */
4437  smtpd_start_tls(state);
4438  return (0);
4439 }
4440 
4441 /* tls_reset - undo STARTTLS */
4442 
4443 static void tls_reset(SMTPD_STATE *state)
4444 {
4445  int failure = 0;
4446 
4447  /*
4448  * Don't waste time when we lost contact.
4449  */
4450  if (state->tls_context) {
4451  if (vstream_feof(state->client) || vstream_ferror(state->client))
4452  failure = 1;
4453  vstream_fflush(state->client); /* NOT: smtp_flush() */
4454 #ifdef USE_TLSPROXY
4455  tls_proxy_context_free(state->tls_context);
4456 #else
4457  tls_server_stop(smtpd_tls_ctx, state->client, var_smtpd_starttls_tmout,
4458  failure, state->tls_context);
4459 #endif
4460  state->tls_context = 0;
4461  }
4462 }
4463 
4464 #endif
4465 
4466  /*
4467  * The table of all SMTP commands that we know. Set the junk limit flag on
4468  * any command that can be repeated an arbitrary number of times without
4469  * triggering a tarpit delay of some sort.
4470  */
4471 typedef struct SMTPD_CMD {
4472  char *name;
4473  int (*action) (SMTPD_STATE *, int, SMTPD_TOKEN *);
4474  int flags;
4475 } SMTPD_CMD;
4476 
4477 #define SMTPD_CMD_FLAG_LIMIT (1<<0) /* limit usage */
4478 #define SMTPD_CMD_FLAG_PRE_TLS (1<<1) /* allow before STARTTLS */
4479 #define SMTPD_CMD_FLAG_LAST (1<<2) /* last in PIPELINING command group */
4480 
4481 static SMTPD_CMD smtpd_cmd_table[] = {
4484 #ifdef USE_TLS
4486 #endif
4487 #ifdef USE_SASL_AUTH
4489 #endif
4490  SMTPD_CMD_MAIL, mail_cmd, 0,
4491  SMTPD_CMD_RCPT, rcpt_cmd, 0,
4494  SMTPD_CMD_NOOP, noop_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,
4495  SMTPD_CMD_VRFY, vrfy_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_LAST,
4498  SMTPD_CMD_XCLIENT, xclient_cmd, 0,
4499  SMTPD_CMD_XFORWARD, xforward_cmd, 0,
4500  0,
4501 };
4502 
4503 static STRING_LIST *smtpd_noop_cmds;
4504 static STRING_LIST *smtpd_forbid_cmds;
4505 
4506 /* smtpd_proto - talk the SMTP protocol */
4507 
4508 static void smtpd_proto(SMTPD_STATE *state)
4509 {
4510  int argc;
4511  SMTPD_TOKEN *argv;
4512  SMTPD_CMD *cmdp;
4513  int tls_rate;
4514  const char *ehlo_words;
4515  const char *err;
4516  int status;
4517  const char *cp;
4518 
4519  /*
4520  * Print a greeting banner and run the state machine. Read SMTP commands
4521  * one line at a time. According to the standard, a sender or recipient
4522  * address could contain an escaped newline. I think this is perverse,
4523  * and anyone depending on this is really asking for trouble.
4524  *
4525  * In case of mail protocol trouble, the program jumps back to this place,
4526  * so that it can perform the necessary cleanup before talking to the
4527  * next client. The setjmp/longjmp primitives are like a sharp tool: use
4528  * with care. I would certainly recommend against the use of
4529  * setjmp/longjmp in programs that change privilege levels.
4530  *
4531  * In case of file system trouble the program terminates after logging the
4532  * error and after informing the client. In all other cases (out of
4533  * memory, panic) the error is logged, and the msg_cleanup() exit handler
4534  * cleans up, but no attempt is made to inform the client of the nature
4535  * of the problem.
4536  */
4538 
4539  while ((status = vstream_setjmp(state->client)) == SMTP_ERR_NONE)
4540  /* void */ ;
4541  switch (status) {
4542 
4543  default:
4544  msg_panic("smtpd_proto: unknown error reading from %s",
4545  state->namaddr);
4546  break;
4547 
4548  case SMTP_ERR_TIME:
4549  state->reason = REASON_TIMEOUT;
4550  if (vstream_setjmp(state->client) == 0)
4551  smtpd_chat_reply(state, "421 4.4.2 %s Error: timeout exceeded",
4552  var_myhostname);
4553  break;
4554 
4555  case SMTP_ERR_EOF:
4556  state->reason = REASON_LOST_CONNECTION;
4557  break;
4558 
4559  case SMTP_ERR_QUIET:
4560  break;
4561 
4562  case SMTP_ERR_DATA:
4563  msg_info("%s: reject: %s from %s: "
4564  "421 4.3.0 %s Server local data error",
4565  (state->queue_id ? state->queue_id : "NOQUEUE"),
4566  state->where, state->namaddr, var_myhostname);
4567  state->error_mask |= MAIL_ERROR_DATA;
4568  if (vstream_setjmp(state->client) == 0)
4569  smtpd_chat_reply(state, "421 4.3.0 %s Server local data error",
4570  var_myhostname);
4571  break;
4572 
4573  case 0:
4574 
4575  /*
4576  * In TLS wrapper mode, turn on TLS using code that is shared with
4577  * the STARTTLS command. This code does not return when the handshake
4578  * fails.
4579  *
4580  * Enforce TLS handshake rate limit when this client negotiated too many
4581  * new TLS sessions in the recent past.
4582  *
4583  * XXX This means we don't complete a TLS handshake just to tell the
4584  * client that we don't provide service. TLS wrapper mode is
4585  * obsolete, so we don't have to provide perfect support.
4586  */
4587 #ifdef USE_TLS
4588  if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode) {
4589 #ifdef USE_TLSPROXY
4590  /* We garbage-collect the VSTREAM in smtpd_state_reset() */
4591  state->tlsproxy = tls_proxy_open(var_tlsproxy_service,
4592  PROXY_OPEN_FLAGS,
4593  state->client, state->addr,
4594  state->port, var_smtpd_tmout);
4595  if (state->tlsproxy == 0) {
4596  msg_warn("Wrapper-mode request dropped from %s for service %s."
4597  " TLS context initialization failed. For details see"
4598  " earlier warnings in your logs.",
4599  state->namaddr, state->service);
4600  break;
4601  }
4602 #else /* USE_TLSPROXY */
4603  if (smtpd_tls_ctx == 0) {
4604  msg_warn("Wrapper-mode request dropped from %s for service %s."
4605  " TLS context initialization failed. For details see"
4606  " earlier warnings in your logs.",
4607  state->namaddr, state->service);
4608  break;
4609  }
4610 #endif /* USE_TLSPROXY */
4611  if (var_smtpd_cntls_limit > 0
4612  && !xclient_allowed
4613  && anvil_clnt
4614  && !namadr_list_match(hogger_list, state->name, state->addr)
4616  state->addr, &tls_rate) == ANVIL_STAT_OK
4617  && tls_rate > var_smtpd_cntls_limit) {
4618  state->error_mask |= MAIL_ERROR_POLICY;
4619  msg_warn("Refusing TLS service request from %s for service %s",
4620  state->namaddr, state->service);
4621  break;
4622  }
4623  smtpd_start_tls(state);
4624  }
4625 #endif
4626 
4627  /*
4628  * XXX The client connection count/rate control must be consistent in
4629  * its use of client address information in connect and disconnect
4630  * events. For now we exclude xclient authorized hosts from
4631  * connection count/rate control.
4632  *
4633  * XXX Must send connect/disconnect events to the anvil server even when
4634  * this service is not connection count or rate limited, otherwise it
4635  * will discard client message or recipient rate information too
4636  * early or too late.
4637  */
4638  if (SMTPD_STAND_ALONE(state) == 0
4639  && !xclient_allowed
4640  && anvil_clnt
4641  && !namadr_list_match(hogger_list, state->name, state->addr)
4642  && anvil_clnt_connect(anvil_clnt, state->service, state->addr,
4643  &state->conn_count, &state->conn_rate)
4644  == ANVIL_STAT_OK) {
4645  if (var_smtpd_cconn_limit > 0
4646  && state->conn_count > var_smtpd_cconn_limit) {
4647  state->error_mask |= MAIL_ERROR_POLICY;
4648  msg_warn("Connection concurrency limit exceeded: %d from %s for service %s",
4649  state->conn_count, state->namaddr, state->service);
4650  smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s",
4651  var_myhostname, state->addr);
4652  break;
4653  }
4654  if (var_smtpd_crate_limit > 0
4655  && state->conn_rate > var_smtpd_crate_limit) {
4656  msg_warn("Connection rate limit exceeded: %d from %s for service %s",
4657  state->conn_rate, state->namaddr, state->service);
4658  smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s",
4659  var_myhostname, state->addr);
4660  break;
4661  }
4662  }
4663 
4664  /*
4665  * Determine what server ESMTP features to suppress, typically to
4666  * avoid inter-operability problems. Moved up so we don't send 421
4667  * immediately after sending the initial server response.
4668  */
4669  if (ehlo_discard_maps == 0
4670  || (ehlo_words = maps_find(ehlo_discard_maps, state->addr, 0)) == 0)
4671  ehlo_words = var_smtpd_ehlo_dis_words;
4672  state->ehlo_discard_mask = ehlo_mask(ehlo_words);
4673 
4674  /* XXX We use the real client for connect access control. */
4675  if (SMTPD_STAND_ALONE(state) == 0
4676  && var_smtpd_delay_reject == 0
4677  && (err = smtpd_check_client(state)) != 0) {
4678  state->error_mask |= MAIL_ERROR_POLICY;
4679  state->access_denied = mystrdup(err);
4680  smtpd_chat_reply(state, "%s", state->access_denied);
4681  state->error_count++;
4682  }
4683 
4684  /*
4685  * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses
4686  * other than the initial greeting and any response to HELO or EHLO
4687  * are prefaced with a status code as defined in RFC 3463.
4688  */
4689 
4690  /*
4691  * XXX If a Milter rejects CONNECT, reply with 220 except in case of
4692  * hard reject or 421 (disconnect). The reply persists so it will
4693  * apply to MAIL FROM and to other commands such as AUTH, STARTTLS,
4694  * and VRFY. Note: after a Milter CONNECT reject, we must not reject
4695  * HELO or EHLO, but we do change the feature list that is announced
4696  * in the EHLO response.
4697  */
4698  else {
4699  err = 0;
4700  if (smtpd_milters != 0 && SMTPD_STAND_ALONE(state) == 0) {
4702  (void *) state);
4703  if ((err = milter_conn_event(smtpd_milters, state->name,
4704  state->addr,
4705  strcmp(state->port, CLIENT_PORT_UNKNOWN) ?
4706  state->port : "0",
4707  state->addr_family)) != 0)
4708  err = check_milter_reply(state, err);
4709  }
4710  if (err && err[0] == '5') {
4711  state->error_mask |= MAIL_ERROR_POLICY;
4712  smtpd_chat_reply(state, "554 %s ESMTP not accepting connections",
4713  var_myhostname);
4714  state->error_count++;
4715  } else if (err && strncmp(err, "421", 3) == 0) {
4716  state->error_mask |= MAIL_ERROR_POLICY;
4717  smtpd_chat_reply(state, "421 %s Service unavailable - try again later",
4718  var_myhostname);
4719  /* Not: state->error_count++; */
4720  } else {
4721  smtpd_chat_reply(state, "220 %s", var_smtpd_banner);
4722  }
4723  }
4724 
4725  /*
4726  * SASL initialization for plaintext mode.
4727  *
4728  * XXX Backwards compatibility: allow AUTH commands when the AUTH
4729  * announcement is suppressed via smtpd_sasl_exceptions_networks.
4730  *
4731  * XXX Safety: don't enable SASL with "smtpd_tls_auth_only = yes" and
4732  * non-TLS build.
4733  */
4734 #ifdef USE_SASL_AUTH
4735  if (var_smtpd_sasl_enable && smtpd_sasl_is_active(state) == 0
4736 #ifdef USE_TLS
4737  && state->tls_context == 0 && !var_smtpd_tls_auth_only
4738 #else
4739  && var_smtpd_tls_auth_only == 0
4740 #endif
4741  )
4744 #endif
4745 
4746  for (;;) {
4747  if (state->flags & SMTPD_FLAG_HANGUP)
4748  break;
4749  if (state->error_count >= var_smtpd_hard_erlim) {
4750  state->reason = REASON_ERROR_LIMIT;
4751  state->error_mask |= MAIL_ERROR_PROTOCOL;
4752  smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors",
4753  var_myhostname);
4754  break;
4755  }
4756  watchdog_pat();
4757  smtpd_chat_query(state);
4758  /* Move into smtpd_chat_query() and update session transcript. */
4759  if (smtpd_cmd_filter != 0) {
4760  for (cp = STR(state->buffer); *cp && IS_SPACE_TAB(*cp); cp++)
4761  /* void */ ;
4762  if ((cp = dict_get(smtpd_cmd_filter, cp)) != 0) {
4763  msg_info("%s: replacing command \"%.100s\" with \"%.100s\"",
4764  state->namaddr, STR(state->buffer), cp);
4765  vstring_strcpy(state->buffer, cp);
4766  } else if (smtpd_cmd_filter->error != 0) {
4767  msg_warn("%s:%s lookup error for \"%.100s\"",
4768  smtpd_cmd_filter->type, smtpd_cmd_filter->name,
4769  printable(STR(state->buffer), '?'));
4771  }
4772  }
4773  if ((argc = smtpd_token(vstring_str(state->buffer), &argv)) == 0) {
4774  state->error_mask |= MAIL_ERROR_PROTOCOL;
4775  smtpd_chat_reply(state, "500 5.5.2 Error: bad syntax");
4776  state->error_count++;
4777  continue;
4778  }
4779  /* Ignore smtpd_noop_cmds lookup errors. Non-critical feature. */
4780  if (*var_smtpd_noop_cmds
4781  && string_list_match(smtpd_noop_cmds, argv[0].strval)) {
4782  smtpd_chat_reply(state, "250 2.0.0 Ok");
4783  if (state->junk_cmds++ > var_smtpd_junk_cmd_limit)
4784  state->error_count++;
4785  continue;
4786  }
4787  for (cmdp = smtpd_cmd_table; cmdp->name != 0; cmdp++)
4788  if (strcasecmp(argv[0].strval, cmdp->name) == 0)
4789  break;
4790  /* Ignore smtpd_forbid_cmds lookup errors. Non-critical feature. */
4791  if (cmdp->name == 0) {
4792  state->where = SMTPD_CMD_UNKNOWN;
4793  if (is_header(argv[0].strval)
4795  && string_list_match(smtpd_forbid_cmds, argv[0].strval))) {
4796  msg_warn("non-SMTP command from %s: %.100s",
4797  state->namaddr, vstring_str(state->buffer));
4798  smtpd_chat_reply(state, "221 2.7.0 Error: I can break rules, too. Goodbye.");
4799  break;
4800  }
4801  }
4802  /* XXX We use the real client for connect access control. */
4803  if (state->access_denied && cmdp->action != quit_cmd) {
4804  /* XXX Exception for Milter override. */
4805  if (strncmp(state->access_denied + 1, "21", 2) == 0) {
4806  smtpd_chat_reply(state, "%s", state->access_denied);
4807  continue;
4808  }
4809  smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
4810  state->namaddr); /* RFC 2821 Sec 3.1 */
4811  state->error_count++;
4812  continue;
4813  }
4814  /* state->access_denied == 0 || cmdp->action == quit_cmd */
4815  if (cmdp->name == 0) {
4816  if (smtpd_milters != 0
4817  && SMTPD_STAND_ALONE(state) == 0
4818  && (err = milter_unknown_event(smtpd_milters,
4819  argv[0].strval)) != 0
4820  && (err = check_milter_reply(state, err)) != 0) {
4821  smtpd_chat_reply(state, "%s", err);
4822  } else
4823  smtpd_chat_reply(state, "502 5.5.2 Error: command not recognized");
4824  state->error_mask |= MAIL_ERROR_PROTOCOL;
4825  state->error_count++;
4826  continue;
4827  }
4828 #ifdef USE_TLS
4829  if (var_smtpd_enforce_tls &&
4830  !state->tls_context &&
4831  (cmdp->flags & SMTPD_CMD_FLAG_PRE_TLS) == 0) {
4832  smtpd_chat_reply(state,
4833  "530 5.7.0 Must issue a STARTTLS command first");
4834  state->error_count++;
4835  continue;
4836  }
4837 #endif
4838  state->where = cmdp->name;
4839  if (SMTPD_STAND_ALONE(state) == 0
4840  && (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
4841  || (cmdp->flags & SMTPD_CMD_FLAG_LAST))
4842  && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
4843  && (vstream_peek(state->client) > 0
4844  || peekfd(vstream_fileno(state->client)) > 0)) {
4845  if (state->expand_buf == 0)
4846  state->expand_buf = vstring_alloc(100);
4847  escape(state->expand_buf, vstream_peek_data(state->client),
4848  vstream_peek(state->client) < 100 ?
4849  vstream_peek(state->client) : 100);
4850  msg_info("improper command pipelining after %s from %s: %s",
4851  cmdp->name, state->namaddr, STR(state->expand_buf));
4852  state->flags |= SMTPD_FLAG_ILL_PIPELINING;
4853  }
4854  if (cmdp->action(state, argc, argv) != 0)
4855  state->error_count++;
4856  if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
4857  && state->junk_cmds++ > var_smtpd_junk_cmd_limit)
4858  state->error_count++;
4859  if (cmdp->action == quit_cmd)
4860  break;
4861  }
4862  break;
4863  }
4864 
4865  /*
4866  * XXX The client connection count/rate control must be consistent in its
4867  * use of client address information in connect and disconnect events.
4868  * For now we exclude xclient authorized hosts from connection count/rate
4869  * control.
4870  *
4871  * XXX Must send connect/disconnect events to the anvil server even when
4872  * this service is not connection count or rate limited, otherwise it
4873  * will discard client message or recipient rate information too early or
4874  * too late.
4875  */
4876  if (SMTPD_STAND_ALONE(state) == 0
4877  && !xclient_allowed
4878  && anvil_clnt
4879  && !namadr_list_match(hogger_list, state->name, state->addr))
4880  anvil_clnt_disconnect(anvil_clnt, state->service, state->addr);
4881 
4882  /*
4883  * Log abnormal session termination, in case postmaster notification has
4884  * been turned off. In the log, indicate the last recognized state before
4885  * things went wrong. Don't complain about clients that go away without
4886  * sending QUIT. Log the byte count after DATA to help diagnose MTU
4887  * troubles.
4888  */
4889  if (state->reason && state->where) {
4890  if (strcmp(state->where, SMTPD_AFTER_DATA) == 0) {
4891  msg_info("%s after %s (%lu bytes) from %s", /* 2.5 compat */
4892  state->reason, SMTPD_CMD_DATA, /* 2.5 compat */
4893  (long) (state->act_size + vstream_peek(state->client)),
4894  state->namaddr);
4895  } else if (strcmp(state->where, SMTPD_AFTER_DOT)
4896  || strcmp(state->reason, REASON_LOST_CONNECTION)) {
4897  msg_info("%s after %s from %s",
4898  state->reason, state->where, state->namaddr);
4899  }
4900  }
4901 
4902  /*
4903  * Cleanup whatever information the client gave us during the SMTP
4904  * dialog.
4905  *
4906  * XXX Duplicated in xclient_cmd().
4907  */
4908 #ifdef USE_TLS
4909  tls_reset(state);
4910 #endif
4911  helo_reset(state);
4912 #ifdef USE_SASL_AUTH
4913  smtpd_sasl_auth_reset(state);
4914  if (smtpd_sasl_is_active(state)) {
4915  smtpd_sasl_deactivate(state);
4916  }
4917 #endif
4918  chat_reset(state, 0);
4919  mail_reset(state);
4920  rcpt_reset(state);
4921  if (smtpd_milters)
4922  milter_disc_event(smtpd_milters);
4923 }
4924 
4925 /* smtpd_service - service one client */
4926 
4927 static void smtpd_service(VSTREAM *stream, char *service, char **argv)
4928 {
4929  SMTPD_STATE state;
4930 
4931  /*
4932  * Sanity check. This service takes no command-line arguments.
4933  */
4934  if (argv[0])
4935  msg_fatal("unexpected command-line argument: %s", argv[0]);
4936 
4937  /*
4938  * For sanity, require that at least one of INET or INET6 is enabled.
4939  * Otherwise, we can't look up interface information, and we can't
4940  * convert names or addresses.
4941  */
4942  if (SMTPD_STAND_ALONE_STREAM(stream) == 0
4943  && inet_proto_info()->ai_family_list[0] == 0)
4944  msg_fatal("all network protocols are disabled (%s = %s)",
4946 
4947  /*
4948  * This routine runs when a client has connected to our network port, or
4949  * when the smtp server is run in stand-alone mode (input from pipe).
4950  *
4951  * Look up and sanitize the peer name, then initialize some connection-
4952  * specific state. When the name service is hosed, hostname lookup will
4953  * take a while. This is why I always run a local name server on critical
4954  * machines.
4955  */
4956  smtpd_state_init(&state, stream, service);
4957  msg_info("connect from %s", state.namaddr);
4958 
4959  /*
4960  * Disable TLS when running in stand-alone mode via "sendmail -bs".
4961  */
4962  if (SMTPD_STAND_ALONE((&state))) {
4963  var_smtpd_use_tls = 0;
4966  }
4967 
4968  /*
4969  * XCLIENT must not override its own access control.
4970  */
4971  xclient_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
4972  namadr_list_match(xclient_hosts, state.name, state.addr);
4973 
4974  /*
4975  * Overriding XFORWARD access control makes no sense, either.
4976  */
4977  xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
4978  namadr_list_match(xforward_hosts, state.name, state.addr);
4979 
4980  /*
4981  * See if we need to turn on verbose logging for this client.
4982  */
4983  debug_peer_check(state.name, state.addr);
4984 
4985  /*
4986  * Provide the SMTP service.
4987  */
4988  if ((state.flags & SMTPD_FLAG_HANGUP) == 0)
4989  smtpd_proto(&state);
4990 
4991  /*
4992  * After the client has gone away, clean up whatever we have set up at
4993  * connection time.
4994  */
4995  msg_info("disconnect from %s", state.namaddr);
4996  smtpd_state_reset(&state);
4998 }
4999 
5000 /* pre_accept - see if tables have changed */
5001 
5002 static void pre_accept(char *unused_name, char **unused_argv)
5003 {
5004  const char *table;
5005 
5006  if ((table = dict_changed_name()) != 0) {
5007  msg_info("table %s has changed -- restarting", table);
5008  exit(0);
5009  }
5010 }
5011 
5012 /* pre_jail_init - pre-jail initialization */
5013 
5014 static void pre_jail_init(char *unused_name, char **unused_argv)
5015 {
5016 
5017  /*
5018  * Initialize blacklist/etc. patterns before entering the chroot jail, in
5019  * case they specify a filename pattern.
5020  */
5027 
5028  /*
5029  * Open maps before dropping privileges so we can read passwords etc.
5030  *
5031  * XXX We should not do this in stand-alone (sendmail -bs) mode, but we
5032  * can't use SMTPD_STAND_ALONE(state) here. This means "sendmail -bs"
5033  * will try to connect to proxymap when invoked by root for mail
5034  * submission. To fix, we would have to pass stand-alone mode information
5035  * via different means. For now we have to tell people not to run mail
5036  * clients as root.
5037  */
5038  if (getuid() == 0 || getuid() == var_owner_uid)
5039  smtpd_check_init();
5041  debug_peer_init();
5042 
5044 #ifdef USE_SASL_AUTH
5046 
5048  sasl_exceptions_networks =
5051 #else
5052  msg_warn("%s is true, but SASL support is not compiled in",
5054 #endif
5055 
5056  if (*var_smtpd_cmd_filter)
5057  smtpd_cmd_filter = dict_open(var_smtpd_cmd_filter, O_RDONLY,
5059 
5060  /*
5061  * XXX Temporary fix to pretend that we consistently implement TLS
5062  * security levels. We implement only a subset for now. If we implement
5063  * more levels, wrappermode should override only weaker TLS security
5064  * levels.
5065  *
5066  * Note: tls_level_lookup() logs no warning.
5067  */
5070  default:
5071  msg_fatal("Invalid TLS level \"%s\"", var_smtpd_tls_level);
5072  /* NOTREACHED */
5073  break;
5074  case TLS_LEV_SECURE:
5075  case TLS_LEV_VERIFY:
5076  case TLS_LEV_FPRINT:
5077  msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"",
5079  /* FALLTHROUGH */
5080  case TLS_LEV_ENCRYPT:
5082  break;
5083  case TLS_LEV_MAY:
5085  var_smtpd_use_tls = 1;
5086  break;
5087  case TLS_LEV_NONE:
5089  break;
5090  }
5091  }
5092 
5093  /*
5094  * With TLS wrapper mode, we run on a dedicated port and turn on TLS
5095  * before actually speaking the SMTP protocol. This implies TLS enforce
5096  * mode.
5097  *
5098  * With non-wrapper mode, TLS enforce mode implies that we don't advertise
5099  * AUTH before the client issues STARTTLS.
5100  */
5104 
5105  /*
5106  * Keys can only be loaded when running with suitable permissions. When
5107  * called from "sendmail -bs" this is not the case, so we must not
5108  * announce STARTTLS support.
5109  */
5110  if (getuid() == 0 || getuid() == var_owner_uid) {
5111  if (var_smtpd_use_tls) {
5112 #ifdef USE_TLS
5113 #ifndef USE_TLSPROXY
5114  TLS_SERVER_INIT_PROPS props;
5115  const char *cert_file;
5116  int have_server_cert;
5117  int no_server_cert_ok;
5118  int require_server_cert;
5119 
5120  /*
5121  * Can't use anonymous ciphers if we want client certificates.
5122  * Must use anonymous ciphers if we have no certificates.
5123  *
5124  * XXX: Ugh! Too many booleans!
5125  */
5126  ask_client_cert = require_server_cert =
5129  if (strcasecmp(var_smtpd_tls_cert_file, "none") == 0) {
5130  no_server_cert_ok = 1;
5131  cert_file = "";
5132  } else {
5133  no_server_cert_ok = 0;
5134  cert_file = var_smtpd_tls_cert_file;
5135  }
5136  have_server_cert =
5138 
5139  /* Some TLS configuration errors are not show stoppers. */
5140  if (!have_server_cert && require_server_cert)
5141  msg_warn("Need a server cert to request client certs");
5143  msg_warn("Can't require client certs unless TLS is required");
5144  /* After a show-stopper error, reply with 454 to STARTTLS. */
5145  if (have_server_cert || (no_server_cert_ok && !require_server_cert))
5146 
5147  /*
5148  * Large parameter lists are error-prone, so we emulate a
5149  * language feature that C does not have natively: named
5150  * parameter lists.
5151  */
5152  smtpd_tls_ctx =
5153  TLS_SERVER_INIT(&props,
5154  log_param = VAR_SMTPD_TLS_LOGLEVEL,
5155  log_level = var_smtpd_tls_loglevel,
5156  verifydepth = var_smtpd_tls_ccert_vd,
5157  cache_type = TLS_MGR_SCACHE_SMTPD,
5158  set_sessid = var_smtpd_tls_set_sessid,
5159  cert_file = cert_file,
5160  key_file = var_smtpd_tls_key_file,
5161  dcert_file = var_smtpd_tls_dcert_file,
5162  dkey_file = var_smtpd_tls_dkey_file,
5163  eccert_file = var_smtpd_tls_eccert_file,
5164  eckey_file = var_smtpd_tls_eckey_file,
5165  CAfile = var_smtpd_tls_CAfile,
5166  CApath = var_smtpd_tls_CApath,
5167  dh1024_param_file
5169  dh512_param_file
5171  eecdh_grade = var_smtpd_tls_eecdh,
5172  protocols = var_smtpd_enforce_tls ?
5175  ask_ccert = ask_client_cert,
5176  mdalg = var_smtpd_tls_fpt_dgst);
5177  else
5178  msg_warn("No server certs available. TLS won't be enabled");
5179 #endif /* USE_TLSPROXY */
5180 #else
5181  msg_warn("TLS has been selected, but TLS support is not compiled in");
5182 #endif
5183  }
5184  }
5185 
5186  /*
5187  * flush client.
5188  */
5189  flush_init();
5190 
5191  /*
5192  * EHLO keyword filter.
5193  */
5195  ehlo_discard_maps = maps_create(VAR_SMTPD_EHLO_DIS_MAPS,
5197  DICT_FLAG_LOCK);
5198 }
5199 
5200 /* post_jail_init - post-jail initialization */
5201 
5202 static void post_jail_init(char *unused_name, char **unused_argv)
5203 {
5204 
5205  /*
5206  * Initialize the receive transparency options: do we want unknown
5207  * recipient checks, address mapping, header_body_checks?.
5208  */
5211 
5212  /*
5213  * Initialize before-queue filter options: do we want speed-matching
5214  * support so that the entire message is received before we contact a
5215  * before-queue content filter?
5216  */
5217  if (*var_smtpd_proxy_filt)
5220 
5221  /*
5222  * Sendmail mail filters.
5223  *
5224  * XXX Should not do this when running in stand-alone mode. But that test
5225  * looks at VSTREAM_IN which is not available at this point.
5226  *
5227  * XXX Disable non_smtpd_milters when not sending our own mail filter list.
5228  */
5230  if (*var_smtpd_milters)
5231  smtpd_milters = milter_create(var_smtpd_milters,
5245  else
5247  }
5248 
5249  /*
5250  * Sanity checks. The queue_minfree value should be at least as large as
5251  * (process_limit * message_size_limit) but that is unpractical, so we
5252  * arbitrarily pick a small multiple of the per-message size limit. This
5253  * helps to avoid many unneeded (re)transmissions.
5254  */
5255  if (var_queue_minfree > 0
5256  && var_message_limit > 0
5258  msg_warn("%s(%lu) should be at least 1.5*%s(%lu)",
5259  VAR_QUEUE_MINFREE, (unsigned long) var_queue_minfree,
5260  VAR_MESSAGE_LIMIT, (unsigned long) var_message_limit);
5261 
5262  /*
5263  * Connection rate management.
5264  */
5269 }
5270 
5272 
5273 /* main - the main program */
5274 
5275 int main(int argc, char **argv)
5276 {
5277  static const CONFIG_NINT_TABLE nint_table[] = {
5282  0,
5283  };
5284  static const CONFIG_INT_TABLE int_table[] = {
5315 #ifdef USE_TLS
5317 #endif
5318  0,
5319  };
5320  static const CONFIG_TIME_TABLE time_table[] = {
5328 #ifdef USE_TLS
5330 #endif
5336  0,
5337  };
5338  static const CONFIG_BOOL_TABLE bool_table[] = {
5354 #ifdef USE_TLS
5359 #endif
5363  0,
5364  };
5365  static const CONFIG_NBOOL_TABLE nbool_table[] = {
5367  0,
5368  };
5369  static const CONFIG_STR_TABLE str_table[] = {
5415